- From: Emily Stark <estark@google.com>
- Date: Mon, 17 Jul 2017 01:40:33 -0700
- To: Patrick McManus <mcmanus@ducksong.com>
- Cc: Nick Sullivan <nicholas.sullivan@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Piotr Sikora <piotrsikora@google.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAPP_2SZFwCZK3Pmm9ACdXmSafeiO6c8nxn8JoEQMUWHh-D1XBw@mail.gmail.com>
On Sun, Jul 16, 2017 at 12:25 PM, Patrick McManus <mcmanus@ducksong.com> wrote: > On Sun, Jul 16, 2017 at 12:15 PM, Nick Sullivan < > nicholas.sullivan@gmail.com> wrote: > >> There is merit to both sides. Requiring DNS adds a weak second factor for >> routing decisions, which is useful in multi-CDN situations, or extra-broad >> certificates, where you want to prevent a CDN from routing extra traffic >> via ORIGIN. On the other hand, skipping DNS is a big step forward for both >> performance and privacy, it basically solves the encrypted SNI issue. >> >> > I think this notion of exchanging the DNS weak second factor for some > other factor(s) with better perf and privacy properties is promising. Let's > work with that and thanks especially to Ryan for getting the conversation > going in that general direction. > > First, I'd like to add to the ORIGIN benefit list - beyond perf and > privacy I believe ORIGIN is operationally superior to the DNS coalescing of > 7540. By 7540 rules this DNS test will fail any time the zone operator > can't return a set that matches the resolution that happened when the > connection was established. For any DNS server that has more addresses to > choose from than it puts in the RR set, this can be a challenge. I _know_ > that 7540 coalescing fails all of the time because of this (and if it were > because of traffic management (which it generally is not because I've > debugged it with the operators) then ORIGIN provides a finer control for > that anyhow) > > ISTM the primary concern is that the DNS provision amplifies the power of > the certificate (depending on how much value you think DNS has a second > factor that could be by a factor of 1.0001 to MAXINT - we probably don't > need to come to consensus on it) in the case of misissuance or compromise. > > So curating from the ideas floating around I would suggest that a origin > client MUST skip the DNS check if > a] the connection certificate used to validate the origin comes with SCT. > This is to mitigate against mis-issuance. Given that we can expect all > public certifcates published a year from now to deal with CT, this seems > pretty easy operationally to me. > Do you mean literally comes with a single SCT? Or complies with the client's CT policy (which might require multiple SCTs)? Is it reasonable to assume that all clients implementing ORIGIN will also implement CT? > > b] the connection certificate used to validate the origin passes a > revocation check. This is to mitigate against compromise. In the case OCSP > was not stapled the client could choose between ocsp and just doing the dns > (or ignoring the origin extension). So there > is motivation to staple. > > I don't think we want to make a certificate extension that says "opt-in to > skip DNS" (it is tatamount in some ways to selecting for people who have > something to hide that they're willing to put in the work to deal with > certificate changes - not a good privacy feature).. > > -Patrick > > >
Received on Monday, 17 July 2017 08:41:22 UTC