-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS relaxation, smaller initial Origin Set #285
Changes from 4 commits
03b4799
ac5a5e4
241ce50
eaa6a4b
de47d40
8171ff1
835e8d9
d4bf661
6529f68
6b932b2
91b2a4e
227694d
66463b0
a77c322
4d3cf21
b2a7bc2
f27c5e0
31fea62
0b6affa
8afa09b
cc16f7d
5a9a667
93d2b92
213b958
2315727
8520938
6b3b761
e2083ad
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -60,7 +60,8 @@ penalty of adding latency. To address that, this specification defines a new HTT | |
|
||
Additionally, experience has shown that HTTP/2's requirement to establish server authority using | ||
both DNS and the server's certificate is onerous. This specification relaxes the requirement to | ||
check DNS when the ORIGIN frame is in use. | ||
check DNS when the ORIGIN frame is in use. Doing so has additional benefits, such as removing the | ||
latency associated with some DNS lookups, and improving DNS privacy. | ||
|
||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit extra newline There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. already fixed |
||
## Notational Conventions | ||
|
@@ -121,8 +122,9 @@ them MUST be ignored by clients conforming to this specification. The remaining | |
for backwards-compatible changes, and do not affect processing by clients conformant to this | ||
specification. | ||
|
||
The ORIGIN frame is processed hop-by-hop. An intermediary MUST NOT forward ORIGIN frames. Clients | ||
configured to use a proxy MUST ignore any ORIGIN frames received from it. | ||
The ORIGIN frame describes a property of the connection, and therefore is processed hop-by-hop. An | ||
intermediary MUST NOT forward ORIGIN frames. Clients configured to use a proxy MUST ignore any | ||
ORIGIN frames received from it. | ||
|
||
Each ASCII-Origin field in the frame's payload MUST be parsed as an ASCII serialisation of an | ||
origin ({{!RFC6454}}, Section 6.2). If parsing fails, the field MUST be ignored. | ||
|
@@ -233,12 +235,12 @@ The following algorithm illustrates how a client could handle received ORIGIN fr | |
The certificate presented by the server is valid for a host if it passes the checks that the client | ||
would perform when forming a new TLS connection to the origin. This includes verifying that the | ||
host matches a `dNSName` value from the certificate `subjectAltName` field (using the wildcard rules | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. typo: s/sNSName/DNSName/ There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is correct; see https://tools.ietf.org/html/rfc5280#section-4.2.1.6 (but will add a ref) |
||
defined in {{!RFC2818}}). | ||
defined in {{!RFC2818}}; see also {{!RFC5280}} Section 4.2.1.6). | ||
|
||
|
||
# Operational Considerations for Servers {#server-ops} | ||
|
||
The ORIGIN frame allows a server to indicate what for origins a given connection ought be used. | ||
The ORIGIN frame allows a server to indicate for which origins a given connection ought be used. | ||
|
||
For example, it can be used to inform the client that the connection is to only be used for the | ||
SNI-based origin, by sending an empty ORIGIN frame. Or, a larger number of origins can be indicated | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in discussions on this there are a couple of other motivators that may (or may not!) be worth including as introductory text.. one is simply that it can save a dns lookup by effectively inlining the result and the other is that dns is often a privacy leak that can be avoided by not making the lookup
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done