Re: Skipping DNS resolutions with ORIGIN frame

On Tue, Jul 18, 2017 at 9:41 AM, Mike Bishop <>

> I'd either say something like "Clients opting not to check DNS SHOULD
> employ some alternative means to increase confidence that the certificate
> is legitimate, such as Certificate Transparency or revocation checks," or
> just stop after the first sentence.  If it's a MAY, then it's up to the
> clients under what specific conditions they employ it.  The main reason, in
> my mind, for adding the second sentence is to inform less-security-aware
> developers that they shouldn't just toss DNS out the window without having
> something else in hand.

This seems like the right direction to me.‚Äč

Received on Tuesday, 18 July 2017 18:48:26 UTC