RE: Skipping DNS resolutions with ORIGIN frame from Mike Bishop on 2017-07-18 (ietf-http-wg@w3.org from July to September 2017)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Tue, 18 Jul 2017 21:23:23 +0000
To: Watson Ladd <watson@cloudflare.com>, Ryan Hamilton <rch@google.com>
CC: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Piotr Sikora <piotrsikora@google.com>
Message-ID: <MWHPR21MB0141A9297C6F4993363966B987A10@MWHPR21MB0141.namprd21.prod.outlook.com>

Unless the cdnjs.cloudflare.com is in the same cert, you’d also need the Secondary Certificates extension to support that.  Once it’s there, though, I think the discussion is the same whether we have multiple certificates or one – we have a single factor (the certificate) that claims authority for some other name.  How do we reach a sufficient level of trust?  DNS is a weak second factor; are there other second factors we would be willing to consider as equivalent?

From: Watson Ladd [mailto:watson@cloudflare.com]
Sent: Tuesday, July 18, 2017 11:44 AM
To: Ryan Hamilton <rch@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>; ietf-http-wg@w3.org; Piotr Sikora <piotrsikora@google.com>
Subject: Re: Skipping DNS resolutions with ORIGIN frame

On Tue, Jul 18, 2017 at 11:30 AM, Ryan Hamilton <rch@google.com<mailto:rch@google.com>> wrote:
My apologies for starting this thread on Friday and then going on vacation! I'm catching up now.

On Fri, Jul 14, 2017 at 10:32 AM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:
I get that you believe that DNS resolution is valuable here, but I
don't understand your point about "proxy configuration".  If you have
a proxy configured, you generally don't do the DNS lookup directly, so
are you saying that you would allow the coalescing for a CONNECT
tunnel?

Yes, I think so.

Can you verify that I understand your point about Alt-Svc: if the
origin had been previously contacted and Alt-Svc identified an IP
address that matches the current IP, then that could be a sufficient
signal.  Usually Alt-Svc is a name though, so that wouldn't help.

Sorry, I wasn't very clear. What I means is that if I connection to www.example.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=A11yjgd7M%2BFAWckA%2B4yXLreK7egSTp0o7fHOxTmro1Y%3D&reserved=0> which presents an *.example.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=z7e0gWv6d9qNO3LlzWYdAdJF%2Fdz1fl6ePrL4wXc%2Fo5w%3D&reserved=0> certificate, I need some second piece of information before using it for mail.example.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.com&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=m0%2FQIhc5PZ7qOzojoiCQcvrpWLL4fEbXrzCjH27AmeA%3D&reserved=0>. In the alt-svc case, if an earlier connection to mail.example.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=dzpNY0d8AF2kRFXdgSMNqZebFcyj8CTepsxlWxwNKFg%3D&reserved=0> advertised alt-svc for www.example.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=A11yjgd7M%2BFAWckA%2B4yXLreK7egSTp0o7fHOxTmro1Y%3D&reserved=0>, then I would be comfortable coalescing the connection and would not need to do any resolution of mail.example.org<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=dzpNY0d8AF2kRFXdgSMNqZebFcyj8CTepsxlWxwNKFg%3D&reserved=0>.

This doesn't work for our major usecase, which is using an existing connection to one of our customers to send the content of cdnjs.cloudflare.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcdnjs.cloudflare.com&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=9yE4PkHTxyyqml%2BhutprXtHJO9nbwEtfi9ptaijYZb0%3D&reserved=0>. If logging a certificate in CT is enough to enable ORIGIN that is fine.

Similarly, are you saying that CT could assert something that would
cause you to skip the DNS lookup for a name?

This was more of a straw-man than a concrete proposal, but yes. Folk in Chrome security thought that this was plausible, though probably required more thought.

Or is this list just to make a more general point about raising the
bar for gaining the ability to use a name, and not something that is
specific to this particular example of DNS lookups?

Specific to the issue of skipping DNS lookups when deciding to trust a certificate.

Received on Tuesday, 18 July 2017 21:23:57 UTC