+1 for the requirement for CT. I feel uncomfortable skipping DNS without requiring at least CT. As for OCSP stapling, I can see the argument for requiring it, but I would also like to offer short lived certificates or delegated credentials (https://tools.ietf.org/html/draft-rescorla-tls-subcerts-01) as equivalent requirement. In general I think it's incredibly valuable to define the guidelines for skipping DNS in the specification. This makes it easier for service operators to be able to use this functionality in a uniform manner. These guidelines were missing for PUSH which made it very hard to use. Subodh ________________________________ From: Daniel Stenberg <daniel@haxx.se> Sent: Monday, July 17, 2017 10:28:04 AM To: Emily Stark Cc: Patrick McManus; Nick Sullivan; Ilari Liusvaara; Erik Nygren; Piotr Sikora; Ryan Hamilton; ietf-http-wg@w3.org Subject: Re: Skipping DNS resolutions with ORIGIN frame On Mon, 17 Jul 2017, Emily Stark wrote: > Is it reasonable to assume that all clients implementing ORIGIN will also > implement CT? I think that's a stretch. It is easy to see how supporting ORIGIN can be an obvious benefit to a lot of libraries and tools (ie non-browsers) that want to coalesce/reuse connections better and that might very well be implemented without doing CT or at least independently of it. -- / daniel.haxx.se
Received on Tuesday, 18 July 2017 07:35:09 UTC