Re: Skipping DNS resolutions with ORIGIN frame from Patrick McManus on 2017-07-19 (ietf-http-wg@w3.org from July to September 2017)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Wed, 19 Jul 2017 06:32:56 +0000 (UTC)
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Watson Ladd <watson@cloudflare.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Ryan Hamilton <rch@google.com>, Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Piotr Sikora <piotrsikora@google.com>
Message-ID: <CAOdDvNo9RgC0Nyj+TUGnB0egkU=53PpNJUa=wsFUW0agSHMFHg@mail.gmail.com>

On Wed, Jul 19, 2017 at 3:26 AM, Erik Nygren <erik+ietf@nygren.org> wrote:

authenticated origin (where DNS was followed initially to receive the
> Alt-Svc)
> saying that connections to cdn.example.net can safely coalesce as long as
> there is cert coverage.
> ie, if the cert presented when connecting to cdn.example.net and sending
> SNI="www.example.com" covers "www.example.com", or if such a cert
> is pushed via Secondary Certificates down the road.
>
>
following DNS and SNI even once removes the pro-privacy attributes of
ORIGIN; or do I misunderstand the proposal? If we were going to go in that
direction it might be easier to define some kind of "h2='originframe'"
attestation from alt-svc, but again - bootstrapping alt-svc has the name
leak so I don't think its a great idea.

Received on Wednesday, 19 July 2017 06:33:28 UTC