Re: Adam Roach's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT)

On Wed, Jan 10, 2018 at 12:24 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie
> wrote:

>
>
> Just want to check a thing - if one added some DNS check, am
> I right that any privacy benefit of the ORIGIN frame might
> then be lost?
>

making fewer queries is privacy friendly.

But there's something more fundamental:

experience has shown that HTTP/2's requirement to
establish server authority using both DNS and the server's
certificate is onerous.

adding a post-facto DNS check doesn't help with that part of things. ORIGIN
does not expect to be consistent with the DNS rule of 7540 coalescing.

This is especially true when DNS is not consistent for everyone (i.e. I
have 2000 different servers that will answer for a.example.com but
obviously not every query for a.example.com can return the same set to
everyone) it leads to less coalescing going on than the server wants when
done 7540 style. There are also load management issues (i.e. a particular
server can opt-in to a subresource via ORIGIN on a per connection basis,
rather than an Internet-wide basis by publishing in DNS) etc..

Origin takes the position that that certificate validity is the more useful
signal and encourages the implementer to be extra careful about it now that
it has more weight.. that's why the examples deal with the mis-issuance
infrastucture (i.e. CT) and revocation (i.e. OCSP stapling) rather than
bringing in other factors.

Received on Wednesday, 10 January 2018 18:19:25 UTC