On Thu, Jan 12, 2017 at 9:42 AM, Andrew Ayer <[email protected]> wrote: > I. Under the "Certificates for hosts whose address was not obtained via > DNS lookup" section, a few scenarios come to mind: > > 1. The host was accessed by IP address.
To expand on this: Your assumption/model here is that the DNS resolver learns this information, but they are not otherwise on-path, correct? That is, imagine a user using a resolver of 8.8.8.8 - presumably, Google's not malicious, but this would disclose to them IP-based connections? > 2. The hostname was resolved by a SOCKS proxy server. This is only relevant to clients that support SOCKSv5-based resolutions, right? And is this just a specialized form of "using a different resolver"? Or do you think it's distinct? > I think more data is needed before concluding that this > approach provides the desired privacy. Could Chrome run an > experiment which resolves a DNS record for a hostname of the form > <client-public-IP-address>.<test-domain>, and measure how many > different <client-public-IP-address>es per recursive server are > observed over various time periods by the authoritative servers > for <test-domain>? In expanding on your hypothetical test, what's the outcome or desired property that you're trying to measure? I imagine a total number of distinct IPs is itself not meaningful to such an analysis. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
