RE: Skipping DNS resolutions with ORIGIN frame

Unless the is in the same cert, you’d also need the Secondary Certificates extension to support that.  Once it’s there, though, I think the discussion is the same whether we have multiple certificates or one – we have a single factor (the certificate) that claims authority for some other name.  How do we reach a sufficient level of trust?  DNS is a weak second factor; are there other second factors we would be willing to consider as equivalent?

From: Watson Ladd []
Sent: Tuesday, July 18, 2017 11:44 AM
To: Ryan Hamilton <>
Cc: Martin Thomson <>;; Piotr Sikora <>
Subject: Re: Skipping DNS resolutions with ORIGIN frame

On Tue, Jul 18, 2017 at 11:30 AM, Ryan Hamilton <<>> wrote:
My apologies for starting this thread on Friday and then going on vacation! I'm catching up now.

On Fri, Jul 14, 2017 at 10:32 AM, Martin Thomson <<>> wrote:
I get that you believe that DNS resolution is valuable here, but I
don't understand your point about "proxy configuration".  If you have
a proxy configured, you generally don't do the DNS lookup directly, so
are you saying that you would allow the coalescing for a CONNECT

Yes, I think so.

Can you verify that I understand your point about Alt-Svc: if the
origin had been previously contacted and Alt-Svc identified an IP
address that matches the current IP, then that could be a sufficient
signal.  Usually Alt-Svc is a name though, so that wouldn't help.

​Sorry, I wasn't very clear. What I means is that if I connection to<> which presents an *<> certificate, I need some second piece of information before using it for<>. In the alt-svc case, if an earlier connection to<> advertised alt-svc for<>, then I would be comfortable coalescing the connection​ and would not need to do any resolution of<>.

This doesn't work for our major usecase, which is using an existing connection to one of our customers to send the content of<>. If logging a certificate in CT is enough to enable ORIGIN that is fine.

Similarly, are you saying that CT could assert something that would
cause you to skip the DNS lookup for a name?

​This was more of a straw-man than a concrete proposal, but yes. Folk in Chrome security thought that this was plausible, though probably required more thought.​

Or is this list just to make a more general point about raising the
bar for gaining the ability to use a name, and not something that is
specific to this particular example of DNS lookups?

Specific to the issue of skipping DNS lookups when deciding to trust a certificate.​

Received on Tuesday, 18 July 2017 21:23:57 UTC