- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Sun, 16 Jul 2017 18:35:01 +0300
- To: Piotr Sikora <piotrsikora@google.com>
- Cc: Nick Sullivan <nicholas.sullivan@gmail.com>, Erik Nygren <erik@nygren.org>, Patrick McManus <mcmanus@ducksong.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Sun, Jul 16, 2017 at 01:18:29PM +0200, Piotr Sikora wrote: > As mentioned on GitHub [1], where we also discussed this, I believe > that the "skip DNS" extension makes sense, provided that it's used > together with CT. Unfortunately, certificate extensions have a few problems here: - Probably takes a long time for many CAs to support them, or to get support that allows the extension be requested via CSR, as other methods are a PITA. - It is just as easy to get misissued certificate with this extension as one without (provoded CA that misisues supports this extension)! - In which case I would want a certificate without this extension? (the decision weither to actually coalesce or not can be rather complicated one... Even when it does not involve perverse incentives, like in that "CDN policy" case in the issue). > But if we go that route, then that extension might be a bit more > generic and perhaps not restricted to the ORIGIN frame, in which case > the ORIGIN frame draft should re-focus on restricting the scope of the > origin-set and not bypassing DNS, as suggested by Erik. Oh, and with regards with my earlier comment about many servers mishandling origins, I suppose that if server actually sends an ORIGIN for given origin, it can actually properly handle that origin. As the the overwhelmingly most common source of mishandling is default virtual hosts. > [1] https://github.com/httpwg/http-extensions/issues/330 -Ilari
Received on Sunday, 16 July 2017 15:35:37 UTC