Re: Skipping DNS resolutions with ORIGIN frame

On Wed, Jul 19, 2017 at 3:26 AM, Erik Nygren <> wrote:

authenticated origin (where DNS was followed initially to receive the
> Alt-Svc)
> saying that connections to can safely coalesce as long as
> there is cert coverage.
> ie, if the cert presented when connecting to and sending
> SNI="" covers "", or if such a cert
> is pushed via Secondary Certificates down the road.
following DNS and SNI even once removes the pro-privacy attributes of
ORIGIN; or do I misunderstand the proposal? If we were going to go in that
direction it might be easier to define some kind of "h2='originframe'"
attestation from alt-svc, but again - bootstrapping alt-svc has the name
leak so I don't think its a great idea.

Received on Wednesday, 19 July 2017 06:33:28 UTC