- From: Patrick McManus <mcmanus@ducksong.com>
- Date: Sun, 16 Jul 2017 19:25:27 +0000 (UTC)
- To: Nick Sullivan <nicholas.sullivan@gmail.com>
- Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Patrick McManus <mcmanus@ducksong.com>, Piotr Sikora <piotrsikora@google.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAOdDvNqeZKrisJ0uXoXy9Cq6P6Frpm=D80aHntxQCCUT9A9kaA@mail.gmail.com>
On Sun, Jul 16, 2017 at 12:15 PM, Nick Sullivan <nicholas.sullivan@gmail.com > wrote: > There is merit to both sides. Requiring DNS adds a weak second factor for > routing decisions, which is useful in multi-CDN situations, or extra-broad > certificates, where you want to prevent a CDN from routing extra traffic > via ORIGIN. On the other hand, skipping DNS is a big step forward for both > performance and privacy, it basically solves the encrypted SNI issue. > > I think this notion of exchanging the DNS weak second factor for some other factor(s) with better perf and privacy properties is promising. Let's work with that and thanks especially to Ryan for getting the conversation going in that general direction. First, I'd like to add to the ORIGIN benefit list - beyond perf and privacy I believe ORIGIN is operationally superior to the DNS coalescing of 7540. By 7540 rules this DNS test will fail any time the zone operator can't return a set that matches the resolution that happened when the connection was established. For any DNS server that has more addresses to choose from than it puts in the RR set, this can be a challenge. I _know_ that 7540 coalescing fails all of the time because of this (and if it were because of traffic management (which it generally is not because I've debugged it with the operators) then ORIGIN provides a finer control for that anyhow) ISTM the primary concern is that the DNS provision amplifies the power of the certificate (depending on how much value you think DNS has a second factor that could be by a factor of 1.0001 to MAXINT - we probably don't need to come to consensus on it) in the case of misissuance or compromise. So curating from the ideas floating around I would suggest that a origin client MUST skip the DNS check if a] the connection certificate used to validate the origin comes with SCT. This is to mitigate against mis-issuance. Given that we can expect all public certifcates published a year from now to deal with CT, this seems pretty easy operationally to me. b] the connection certificate used to validate the origin passes a revocation check. This is to mitigate against compromise. In the case OCSP was not stapled the client could choose between ocsp and just doing the dns (or ignoring the origin extension). So there is motivation to staple. I don't think we want to make a certificate extension that says "opt-in to skip DNS" (it is tatamount in some ways to selecting for people who have something to hide that they're willing to put in the work to deal with certificate changes - not a good privacy feature).. -Patrick
Received on Sunday, 16 July 2017 19:25:55 UTC