IETF Logo Mail Archive

Re: [Add] Browser Administrative Authority

Melinda Shore <melinda.shore@nomountain.net> Sat, 25 May 2019 05:01 UTC

Return-Path: <melinda.shore@nomountain.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73BD3120316 for <add@ietfa.amsl.com>; Fri, 24 May 2019 22:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nomountain-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmRhSAISjcW3 for <add@ietfa.amsl.com>; Fri, 24 May 2019 22:01:20 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC824120048 for <add@ietf.org>; Fri, 24 May 2019 22:01:20 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id r18so4938371pls.13 for <add@ietf.org>; Fri, 24 May 2019 22:01:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomountain-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=pwpGQsLIT3sctwhEF12FVbG1pdL88a5A6748yPaRvYc=; b=cL08krQIcJ/ZVIqBh0V+QW0l+0KdHgKwoGlfVlK/3vLJs5F7R/sx2LSg0k1fDZNBHc QMrXbzRXuaSCjXGJ58XiU40u2HLo8uz0KIwkAzfyGJdAPrEBrnp3M5/xejvQL8P2GiAg BILy5xPnWUHg1agJsawz8rWY18ZqJQvIWat2/KiuAgAOK7VSS+KnyKyHFO2CD7N8ANLd Eyb2kP8F/RZt1S80w2ZLLw5MmXtZi28zIJ8Riraf7G7wPq59Bi/z6sCyAE6ItAfD51ch DFKPrc2TVngXiEoCTfGe7FIn+6WPuEHeUgN+p5iAkd7hCLa3ZMORbttJQiKc+hHPuFYZ Al9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=pwpGQsLIT3sctwhEF12FVbG1pdL88a5A6748yPaRvYc=; b=EjnbLOkKqgG5t/88ctWt+nbTgCbtGIrYrj0z6jTgmI/CMIzkpjGL2t9hlaUMVOBe9h 1ZHm+Wpy8w4+1qdVWVmaj7G8iFeZKIs0B/SyMhIgST4UU1bGLDv+4xGObweWmhK3ZoUN lrMiC5XkNEmWC0dPFdQuRdc99DO44spCdg6AenF/hAbCQ5g039Bt/3Q6tbN5lvM0t80h WmDe/NKtia3RconyTh/EPD/9jBr0yFtMu18J95icru3/kTCsByYkJ85X829uKpp3Maqw aH2OawNVUiwJUjtx4wTyKCSsbOoFEi6HdAwxP6G11CrDjllGT+LFNo2Og+ljy+gMkYb7 k0Ug==
X-Gm-Message-State: APjAAAVSKOPcT/4bcu2Qbo48uBDWrBCd22VTQAQDKqQnbMrcX36g9tRq M8Z7lo8y17YBoPAXkGYQ//1lQeKRMA==
X-Google-Smtp-Source: APXvYqxG+9fO3P1h2rdygwJiEAWZFIfNNDRktiaZrXVVtE0e0/7HR9eeUrqDBO9rkpnvYeObW8dJ5A==
X-Received: by 2002:a17:902:868b:: with SMTP id g11mr29868140plo.183.1558760479769; Fri, 24 May 2019 22:01:19 -0700 (PDT)
Received: from aspen.local (63-140-65-22.dynamic.lte.acsalaska.net. [63.140.65.22]) by smtp.gmail.com with ESMTPSA id f67sm4639876pfa.149.2019.05.24.22.01.18 for <add@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 May 2019 22:01:18 -0700 (PDT)
To: add@ietf.org
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com>
From: Melinda Shore <melinda.shore@nomountain.net>
Openpgp: preference=signencrypt
Autocrypt: addr=melinda.shore@nomountain.net; prefer-encrypt=mutual; keydata= mQINBFppZ0gBEADFwxAi5szDOsM/6+CH4pbYTX7D+2gjLY4xEE7ydQcAF1WVLvcWXrpZM0GO /eA4N1PJ+OT5o8o9zVr7izMJkiLwcnQmxHdlYgZ9E+Cm8hDtMyEPBQwsYTkE5kpbGCmBAZ+W rHNHjvDg366uZQHzJejenB1/V4+rxMZs1Ak34Az2MVOz9Doecaiadpw3NpH3+1VXY/qilqnM lznINSANqD0ktxB/CVKjxl3/K5JnVnLp0h2kiUqt19hQPX2JmLcgaHzu+Ceb34/HZWhs0CiF c4auhQ3A9PcccOprQh6IGW1xo6RP3OEbeRFqeovgBWS+DIWzMIM0a3G2LDid0889QYwEv0zZ RPDCcF3g15mlkeUUmwKQ6eAagPyTqLtTiOKULqy9bQahyX2eqlySrF+HqlwGeNoG+A4l1Z2Y S7NCBLPIzUk2RuSKMBaKw86ORzvg2Advrw4bdv7kbDkArGzywky61SEB/q+GqR466mekXx2F O+m8RuoSnWrBsKvD/bhELHcneorIBleGz+VL7i5adU0rIydG3jPTfUeXoCZIeNx1LannxnAR ihKdh5+FE26WiiK6VmZWkvFjaPFwWGjvAsi82Pd9QgHhnG/XzINpXw/3HF4wtBTU5nIExMzC +FbJxCPq1kXpqSxJqg7hgUFvD5jUD9lpN5Br/S2dUgJj95bbPQARAQABtCxNZWxpbmRhIFNo b3JlIDxtZWxpbmRhLnNob3JlQG5vbW91bnRhaW4ubmV0PokCVAQTAQoAPgIbAwUJCWdTAAUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBE9oLZMqF5b4IPI0wN+4kXKadtuPBQJaaXRaAAoJ EN+4kXKadtuPVioP/3nVzx33yjiEtqLKTEHwofnLT15CV5wAcGa0DTbqgiomVKzSRkkhbF3Z KIHYrnjVpTcYJuW+PmFSIjNizNVr+vvjNP6ptRqx5orWmK4EBe/B9mrpmIshxUwkYr46uwN4 h06xJS3KCzhfhSsnesH5vlGBkUod0+nQhbSLyLRpxmaKaeAl4dxFSBLU0vUJMLH8PXTZVNof 5Yo+ThqCzu1pwOkBQ8gST2J6zdy4PjU9ENQ9RLAamlAG/6rGHEKLFcnUpEg7Tcu1hSzAsqR8 kjX2Prpu4A9DyLCjTOvfOPQa8WjZy18ZdYOxuPxdrTazeCRVJIvYRflhBCZb744jhMyfAiSW eckwRBVSCnBuvWBJl9Ua1wp8SOUXXhgGI8WGvSkvul6kKSkHQKDggd4cojAhxWLfvmjxn5pz 0BNbvrEBGqgWwO1ZMuJpmv3P8YK5Aytsl85NZoMMUJIDxEQhBUgYz5QTQANBKPi8RsfOntho rhzXLqnPPQcE4Xf9O9XIyy077F0JoyiPx74Zsl1dTxmT73pezpfhKUQR7/QlmJ/FAADpb6SO V0tlgBtR6FAZToBYPDiss57AcKM1zzyJ7sHIZkxQelykYSet6hp2WGcwMXQveWqFMQ4fiGQx XNEPO+KZKNj+0sfINzSLP88O5TniM/l/JrjZZNT/lVAQDTdkCBGyuQINBFppZ0gBEACgZuM1 8ghzSuhuv+n0kWyWCeEWrx9Ey03EgFj5alBt55+OLv3dOsdyBHJxjtd0cZS1XaKZlgr1YZ0O pQNv/Wyy8uSW2BZ6hyG1SKN9/1MmfJLNnjjxaBQP4yaMwDdS3wX7hoWY19IpVPZHYDR35FAg SnG/s6we+IOITM1TJoOJs4+ygeK5dC7LfRoj+lkEHYrTcglYVuwsyK2FNz/sF8kJW1fEZHM6 6phSbhCvwbECWbb4eDGXbKZY92W1RTQ5U5td8DMLXyYipQphrcoeRXpb18DbOnE0WwIQV0yB gc/rTiUt/wVjasd1RrsCPBQC/uJ+ZHknvr2MoxIWBBsRtKYHG66aOL+nDV8X1miuF6j4cztv gmdqrwPHpAKVxhfwd/G4suNBunYw4/kAV9b2+eidX5em3NtPPNl/qNjsmEHQGn/5JKRHRvQs 0yuigXDhN2N0keoHrbGCE8kyA/d83L7E9d95hsf3JxpRzmeaTze+NpcIaX5uXdKOaCBjLtx1 tOrDA4XX7Y3nY+waKZYa3RvC7yulFJiKfYWDSriWeQXcXj06p8H6vF6sy9LeX9xRRjTI7qDH FxwuMQIKGqgufXtxu0pxxcMqXTEUPZnxUWUvuFjjYvEmtO92+Ot/NuotV8JvRPwg2OnYjMJo dU1X7hzEs8djtgZG+t3FEGK3i1EJUQARAQABiQI8BBgBCgAmFiEET2gtkyoXlvgg8jTA37iR cpp2248FAlppZ0gCGwwFCQlnUwAACgkQ37iRcpp2248krg/9H896KtAQCAV0RcV3QqZ75iY5 pCxpRyxAaR0PjE5jiYV5gUHPCKtr9UPZt4Bi+bzNLQ2KJK6Rx4XNf5lQWopEo1IxtOiFPjkr QIpNkYmFWyOGpKpSIDhgsJpswZqxPDLpo+59GNlSUG6v3sMAnx+Gvtvqczkvg6UPDN/JYK75 BIGoCGZMyor1B0EmRYj98LdwjT95dQZXjZvWBDeIx+NxUZKoA7AlR/xgsN3PHGq4SApMLL0R /qbiLIzUPnTPt5sBs0peflVvMrtgIMiZ9FdYPE+VWy5+X2AmeFg6Zl5W76HQUP6eYZQV5abZ +iiW9lY1TmqsqpTIDu/ZMy7pLknxV5E1vQy+wsihluDYydaQ4HWoNaY7QFb+x7TsvjJRi+cH 7By4jxohTWUuaukuMmT0eEaesWJSraAmxsffqJwDpsi0chZskuXjEm9gX6rY7MhzOZl7Vz9F +6MYTtTmT1mpkLAMWf1/JuKUCfnSAHRlDxUOAG6QSJoHWAGqYy3XiF9bN63yQ6xllloSbbMv P9VW0e/iFKMKEIvfIvAg0IrlPcfKAGuuT1axwIU7da/N7LOcXyDDSEUuSzvXL/BkWyjxuLzd LY6eTvC6ZT/fA5iS/PAUj0WbrWNrHQtQ5OY2+al2v6JdLu/w6IZJCBpTosOAOzzmre+31fk1 HKwqd9xRxC8=
Message-ID: <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net>
Date: Fri, 24 May 2019 21:01:15 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="WLNeo8O2zGGetR4XtV339ZQulPRmThdmG"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/1unZ9aKrB6mB8WuxKYPuDNKjv6g>
Subject: Re: [Add] Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 05:01:23 -0000

To be honest I think the framing is perhaps not particularly
correct.  Right now browser vendors are mediating trust, anyway,
through their root programs and other security policy enforcement
mechanisms that are not being explicitly chosen by the user or
the ISP.  I'm really not sure what to make of

    "The problem is that some of the browser makers proposals are now
    changing this administrative authority hierarchy, but they haven’t
    done the extra work of establishing administrative trust"

given the current state of the web PKI.  (Allowing, of course,
that the current state of the web PKI may be the strongest
argument against allowing browser vendors to own trust for
name resolution.)

I think the notion that they may be choosing a DNS resolver for web
applications is not that much of a change from current practice.  I
don't really love this but it's where we are at the moment.

I do, however, think that application authors understand their
own security requirements better than ISPs do, and in that sense
may be closer to the user's intentions than ISPs are (and indeed,
user needs and ISP desires are often in conflict).  In the
absence of some standard way of allowing applications to discover
their security environment I'm pretty good (with reservations) with
them choosing their own DNS resolver and DNS transport.

Melinda

-- 
Melinda Shore
melinda.shore@nomountain.net

Software longa, hardware brevis

v2.23.0 | Report a Bug | By Email