+1 for the requirement for CT. I feel uncomfortable skipping DNS without requiring at least CT.
As for OCSP stapling, I can see the argument for requiring it, but I would also like to offer short lived certificates or delegated credentials (https://tools.ietf.org/html/draft-rescorla-tls-subcerts-01) as equivalent requirement.
In general I think it's incredibly valuable to define the guidelines for skipping DNS in the specification. This makes it easier for service operators to be able to use this functionality in a uniform manner. These guidelines were missing for PUSH which made it very hard to use.
Subodh
________________________________
From: Daniel Stenberg <daniel@haxx.se>
Sent: Monday, July 17, 2017 10:28:04 AM
To: Emily Stark
Cc: Patrick McManus; Nick Sullivan; Ilari Liusvaara; Erik Nygren; Piotr Sikora; Ryan Hamilton; ietf-http-wg@w3.org
Subject: Re: Skipping DNS resolutions with ORIGIN frame
On Mon, 17 Jul 2017, Emily Stark wrote:
> Is it reasonable to assume that all clients implementing ORIGIN will also
> implement CT?
I think that's a stretch. It is easy to see how supporting ORIGIN can be an
obvious benefit to a lot of libraries and tools (ie non-browsers) that want to
coalesce/reuse connections better and that might very well be implemented
without doing CT or at least independently of it.
--
/ daniel.haxx.se