- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 19 Jul 2017 16:41:47 +0200
- To: Piotr Sikora <piotrsikora@google.com>
- Cc: Ryan Hamilton <rch@google.com>, Patrick McManus <mcmanus@ducksong.com>, "Emily Stark (Dunn)" <estark@google.com>, Erik Nygren <erik@nygren.org>, Mike Bishop <michael.bishop@microsoft.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I would not modify the protocol in that way. I would prefer to leave ORIGIN alone. DOH is a much a better way to get that information to the client, for example. On 19 July 2017 at 10:00, Piotr Sikora <piotrsikora@google.com> wrote: > Yes, DNSSEC staple in ORIGIN frame is definitely a good option. > > It doesn't solve _all_ problems, e.g. GeoDNS, since we don't know that > the same DNS response would be sent for a query issued by this > particular client, but none of the suggested alternatives solve this > anyway (other than the SkipDNS X509 extension, which doesn't have many > fans here), so we shouldn't dismiss DNSSEC staple because of that. > > Best regards, > Piotr Sikora > > On Tue, Jul 18, 2017 at 8:38 PM, Ryan Hamilton <rch@google.com> wrote: >> On Fri, Jul 14, 2017 at 11:30 PM, Patrick McManus <mcmanus@ducksong.com> >> wrote: >>> >>> Hey Ryan, thanks for the comments. >>> >>> On Fri, Jul 14, 2017 at 3:18 PM, Ryan Hamilton <rch@google.com> wrote: >>>> >>>> . It is crystal clear that saving DNS resolutions represents a real >>>> performance win, especially for long-tail users. >>>> >>> >>> I want to re-emphasize here that I believe a perhaps larger win here is >>> the privacy implication of a lookup never made - especially when combined >>> with secondary certificates and exported authentiactors (still to come to >>> h2). This achieves much of what encrypted SNI could do. >> >> >> Interesting point. It's a bit of a tradeoff between privacy and security >> then, I suppose. >>> >>> My first question is would you be ok with just loosening the draft >>> language a little bit.. i.e. instead of saying must not consult DNS, define >>> this in a way that it is the client's decision. >> >> >> I think that'd definitely a step in the right direction, but I heard some >> real security concerns about "blindly" skipping resolution in this case, so >> I'm interested to hear what the group things about the advisability of doing >> this. >> >>> As I've said before, I don't think the DNS is providing any real value >>> here now that ORIGIN is playing the role of traffic routing. Indeed it is >>> creating a privacy cost - so I'm eager to get it out of the loop. >>> >>> If we can't get consensus on that I'd prefer some kind of stapled >>> assertion that kept the perf and privacy properties of the current draft. I >>> guess that could be dnssec though that would certainly limit use for imo >>> limited value.. >> >> >> It does seem like a stapled DNSSEC response is a plausible option here! >> >>> >>> I'm not sure I fully understand what you're thinking of wrt expect-ct >>> -does it fit that model? >> >> >> I don't think I was thinking about expect-ct per-se. Instead, folks were >> thinking that we could consider skipping DNS resolutions when the >> certificate is valid according to the CT logs that the client has access >> too. This is a different sort of assertion from a second source that helps >> mitigate the impact of a mis-issued certificate, which is the main fear of >> skipping DNS. >>
Received on Wednesday, 19 July 2017 14:42:10 UTC