Re: Skipping DNS resolutions with ORIGIN frame

On Sun, Jul 16, 2017 at 5:35 PM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:
> On Sun, Jul 16, 2017 at 01:18:29PM +0200, Piotr Sikora wrote:
> > As mentioned on GitHub [1], where we also discussed this, I believe
> > that the "skip DNS" extension makes sense, provided that it's used
> > together with CT.
>
> Unfortunately, certificate extensions have a few problems here:
>
> - Probably takes a long time for many CAs to support them, or to get
> support that allows the extension be requested via CSR, as other
> methods are a PITA.
I actually don't see this as a particularly high barrier. Only a few
high-powered sites that use a multi-CDN strategy are going to need it
(assuming it's a "require DNS" extension). They have a lot of leverage over
their CAs.
>
> - It is just as easy to get misissued certificate with this
> extension as one without (provoded CA that misisues supports this
> extension)!
This is why CT is an important requirement. If a CA issues such a cert, it
is misissuance will be caught.
> - In which case I would want a certificate without this extension?
> (the decision weither to actually coalesce or not can be rather
> complicated one... Even when it does not involve perverse
> incentives, like in that "CDN policy" case in the issue).
>
> > But if we go that route, then that extension might be a bit more
> > generic and perhaps not restricted to the ORIGIN frame, in which case
> > the ORIGIN frame draft should re-focus on restricting the scope of the
> > origin-set and not bypassing DNS, as suggested by Erik.
>
> Oh, and with regards with my earlier comment about many servers
> mishandling origins, I suppose that if server actually sends an ORIGIN
> for given origin, it can actually properly handle that origin. As the
> the overwhelmingly most common source of mishandling is default
> virtual hosts.
>
> > [1] https://github.com/httpwg/http-extensions/issues/330
>
>
>
> -Ilari
>