Re: Skipping DNS resolutions with ORIGIN frame

On Sun, Jul 16, 2017 at 5:35 PM Ilari Liusvaara <>

> On Sun, Jul 16, 2017 at 01:18:29PM +0200, Piotr Sikora wrote:
> > As mentioned on GitHub [1], where we also discussed this, I believe
> > that the "skip DNS" extension makes sense, provided that it's used
> > together with CT.
> Unfortunately, certificate extensions have a few problems here:
> - Probably takes a long time for many CAs to support them, or to get
>   support that allows the extension be requested via CSR, as other
>   methods are a PITA.

I actually don't see this as a particularly high barrier. Only a few
high-powered sites that use a multi-CDN strategy are going to need it
(assuming it's a "require DNS" extension). They have a lot of leverage over
their CAs.

> - It is just as easy to get misissued certificate with this
>   extension as one without (provoded CA that misisues supports this
>   extension)!

This is why CT is an important requirement. If a CA issues such a cert, it
is misissuance will be caught.

> - In which case I would want a certificate without this extension?
>   (the decision weither to actually coalesce or not can be rather
>   complicated one... Even when it does not involve perverse
>   incentives, like in that "CDN policy" case in the issue).
> > But if we go that route, then that extension might be a bit more
> > generic and perhaps not restricted to the ORIGIN frame, in which case
> > the ORIGIN frame draft should re-focus on restricting the scope of the
> > origin-set and not bypassing DNS, as suggested by Erik.
> Oh, and with regards with my earlier comment about many servers
> mishandling origins, I suppose that if server actually sends an ORIGIN
> for given origin, it can actually properly handle that origin. As the
> the overwhelmingly most common source of mishandling is default
> virtual hosts.
> > [1]
> -Ilari

Received on Sunday, 16 July 2017 16:05:51 UTC