Re: Skipping DNS resolutions with ORIGIN frame

+1 for the requirement for CT. I feel uncomfortable skipping DNS without requiring at least CT.

As for OCSP stapling, I can see the argument for requiring it, but I would also like to offer short lived certificates or delegated credentials ( as equivalent requirement.

In general I think it's incredibly valuable to define the guidelines for skipping DNS in the specification. This makes it easier for service operators to be able to use this functionality in a uniform manner. These guidelines were missing for PUSH which made it very hard to use.


From: Daniel Stenberg <>
Sent: Monday, July 17, 2017 10:28:04 AM
To: Emily Stark
Cc: Patrick McManus; Nick Sullivan; Ilari Liusvaara; Erik Nygren; Piotr Sikora; Ryan Hamilton;
Subject: Re: Skipping DNS resolutions with ORIGIN frame

On Mon, 17 Jul 2017, Emily Stark wrote:

> Is it reasonable to assume that all clients implementing ORIGIN will also
> implement CT?

I think that's a stretch. It is easy to see how supporting ORIGIN can be an
obvious benefit to a lot of libraries and tools (ie non-browsers) that want to
coalesce/reuse connections better and that might very well be implemented
without doing CT or at least independently of it.



Received on Tuesday, 18 July 2017 07:35:09 UTC