Re: Skipping DNS resolutions with ORIGIN frame from Ryan Hamilton on 2017-07-18 (ietf-http-wg@w3.org from July to September 2017)

From: Ryan Hamilton <rch@google.com>
Date: Tue, 18 Jul 2017 11:47:58 -0700
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Mark Nottingham <mnot@mnot.net>, Patrick McManus <mcmanus@ducksong.com>, Emily Stark <estark@google.com>, Nick Sullivan <nicholas.sullivan@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Piotr Sikora <piotrsikora@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAJ_4DfQEAP4iv5Q7kgmZ5A2MBqsWvEQ+XOh5rgMVRLqsD2gpPA@mail.gmail.com>

On Tue, Jul 18, 2017 at 9:41 AM, Mike Bishop <Michael.Bishop@microsoft.com>
wrote:

> I'd either say something like "Clients opting not to check DNS SHOULD
> employ some alternative means to increase confidence that the certificate
> is legitimate, such as Certificate Transparency or revocation checks," or
> just stop after the first sentence.  If it's a MAY, then it's up to the
> clients under what specific conditions they employ it.  The main reason, in
> my mind, for adding the second sentence is to inform less-security-aware
> developers that they shouldn't just toss DNS out the window without having
> something else in hand.
>

This seems like the right direction to me.

Received on Tuesday, 18 July 2017 18:48:26 UTC