Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS relaxation, smaller initial Origin Set #285

Merged
merged 28 commits into from
Feb 13, 2017
Merged

DNS relaxation, smaller initial Origin Set #285

Changes from 4 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
03b4799
- Change the initial origin set to just SNI
mnot Feb 1, 2017
ac5a5e4
fix some refs
mnot Feb 1, 2017
241ce50
missing 'set'
mnot Feb 1, 2017
eaa6a4b
note unicode
mnot Feb 2, 2017
de47d40
rewrite after discussion
mnot Feb 2, 2017
8171ff1
fix ref
mnot Feb 2, 2017
835e8d9
Update 5987bis.md
mnot Feb 2, 2017
d4bf661
local -> remote
mnot Feb 2, 2017
6529f68
add placeholder for IANA considerations.
mnot Feb 2, 2017
6b932b2
I spel gud
mnot Feb 2, 2017
91b2a4e
add "note that..."
mnot Feb 2, 2017
227694d
more HTTPS getout clause
mnot Feb 2, 2017
66463b0
- Reserve some flags for backwards-incompatible changes
mnot Feb 2, 2017
a77c322
add IANA considerations
mnot Feb 2, 2017
4d3cf21
Martin's suggestion (modified)
mnot Feb 2, 2017
b2a7bc2
change TLS step
mnot Feb 3, 2017
f27c5e0
Tweak "initialised"
mnot Feb 3, 2017
31fea62
add operational considerations
mnot Feb 3, 2017
0b6affa
talk about conn de-duplication
mnot Feb 3, 2017
8afa09b
clarify
mnot Feb 3, 2017
cc16f7d
Patrick's suggestion about hop-by-hop
mnot Feb 4, 2017
5a9a667
deweert suggestion
mnot Feb 4, 2017
93d2b92
add 5280 ref
mnot Feb 4, 2017
213b958
Add motivation
mnot Feb 4, 2017
2315727
defer checks on origin to use
mnot Feb 7, 2017
8520938
move note about case to server-ops
mnot Feb 7, 2017
6b3b761
correct port
mnot Feb 7, 2017
e2083ad
Note interaction with Alt-Svc.
mnot Feb 13, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions draft-ietf-httpbis-origin-frame.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,8 @@ penalty of adding latency. To address that, this specification defines a new HTT

Additionally, experience has shown that HTTP/2's requirement to establish server authority using
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in discussions on this there are a couple of other motivators that may (or may not!) be worth including as introductory text.. one is simply that it can save a dns lookup by effectively inlining the result and the other is that dns is often a privacy leak that can be avoided by not making the lookup

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

both DNS and the server's certificate is onerous. This specification relaxes the requirement to
check DNS when the ORIGIN frame is in use.
check DNS when the ORIGIN frame is in use. Doing so has additional benefits, such as removing the
latency associated with some DNS lookups, and improving DNS privacy.


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit extra newline

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

already fixed

## Notational Conventions
Expand Down Expand Up @@ -121,8 +122,9 @@ them MUST be ignored by clients conforming to this specification. The remaining
for backwards-compatible changes, and do not affect processing by clients conformant to this
specification.

The ORIGIN frame is processed hop-by-hop. An intermediary MUST NOT forward ORIGIN frames. Clients
configured to use a proxy MUST ignore any ORIGIN frames received from it.
The ORIGIN frame describes a property of the connection, and therefore is processed hop-by-hop. An
intermediary MUST NOT forward ORIGIN frames. Clients configured to use a proxy MUST ignore any
ORIGIN frames received from it.

Each ASCII-Origin field in the frame's payload MUST be parsed as an ASCII serialisation of an
origin ({{!RFC6454}}, Section 6.2). If parsing fails, the field MUST be ignored.
Expand Down Expand Up @@ -233,12 +235,12 @@ The following algorithm illustrates how a client could handle received ORIGIN fr
The certificate presented by the server is valid for a host if it passes the checks that the client
would perform when forming a new TLS connection to the origin. This includes verifying that the
host matches a `dNSName` value from the certificate `subjectAltName` field (using the wildcard rules
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/sNSName/DNSName/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is correct; see https://tools.ietf.org/html/rfc5280#section-4.2.1.6 (but will add a ref)

defined in {{!RFC2818}}).
defined in {{!RFC2818}}; see also {{!RFC5280}} Section 4.2.1.6).


# Operational Considerations for Servers {#server-ops}

The ORIGIN frame allows a server to indicate what for origins a given connection ought be used.
The ORIGIN frame allows a server to indicate for which origins a given connection ought be used.

For example, it can be used to inform the client that the connection is to only be used for the
SNI-based origin, by sending an empty ORIGIN frame. Or, a larger number of origins can be indicated
Expand Down