IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Browser Administrative Authority

Melinda Shore <melinda.shore@nomountain.net> Sat, 25 May 2019 19:17 UTC

Return-Path: <melinda.shore@nomountain.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B711200FD for <add@ietfa.amsl.com>; Sat, 25 May 2019 12:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nomountain-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7M6rTjcRh-Z for <add@ietfa.amsl.com>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE0BD1200B6 for <add@ietf.org>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d21so5476590plr.3 for <add@ietf.org>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomountain-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=QbgsYVQWMaUGgxuoa7HAOI7N8CQIDA5zC6ck2SE6uxU=; b=aMbclumMDV7bLZtn8JFIeGuVinUM/eNgVeiWgbyqAi5cEQMKT+qqIAzwCb4I7y83Sh thwZZn+MsEEgdbz+YWYCGlvCjiL0TtEIpxl/1Op/ZhOCjzz1Jtf52g14RSuS3ApI/bh6 D1Q57Btvr2H2UpE/owvuRoSQrouIGN1cCU68j0kDhn4jOkEAtoCUI9tiHFB0aZzDsDR3 T3NnMm8099H8Y8U95vpXDx3s9d9HsTbxHgqdxy0i1MM4Saf3UFr69a9PFzsNmPsqKCsE 49/Lj1fzeVoG+Hur73JeafvFO0wHzmljLSXzxudRGb/cdMUuDlZokvf7HuTb9rQjLVm+ GAKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=QbgsYVQWMaUGgxuoa7HAOI7N8CQIDA5zC6ck2SE6uxU=; b=lwiMqimZMU6pJPjAI+wFkRvgxrodeJOkMh7yJKNP8D3FqxLxYrutu6ERFRTedAX8R/ WEa3iF4xGajJXk16qDw+HSIDv9M1e2uV/ZPT4RaQd+KbPNoPnWmLnH9U5e1ykpV2qOIV Bfk7qWx1Kz+yP7ZKw5as/tw2Xel7833XlRv/PmkJ4LoVp69RxekRxDADEbU9O4z5Dg5o p1PdIgtUo9LfsNhwc06apW50hS7BkgQxuLD7nIROrK72v82PGQOcVqahmIhHCckQ2nWy W089XpbrYdab1bEs1EqB+hJC0YtHamKlZR7OAMifdkKMia/WfV/KmV8smB69YUryki/X ABvQ==
X-Gm-Message-State: APjAAAVd1+c+dFkWGJIdoCGGZIdApWYs+vqNn6KjFa92zQdn1fROUeDD np/Bk212EvTTVEulMgs/A/aJRnV9uQ==
X-Google-Smtp-Source: APXvYqxo43YqIzGNYGeNyo1aUWzc10mqFTIJo+18aCo2w1hE9vkyaK61+HmYsdscBdmh/Yq0F1PLHg==
X-Received: by 2002:a17:902:a405:: with SMTP id p5mr13471170plq.51.1558811831052; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: from aspen.local (63-140-65-22.dynamic.lte.acsalaska.net. [63.140.65.22]) by smtp.gmail.com with ESMTPSA id c185sm6774086pfc.64.2019.05.25.12.17.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 May 2019 12:17:10 -0700 (PDT)
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: "add@ietf.org" <add@ietf.org>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com>
From: Melinda Shore <melinda.shore@nomountain.net>
Openpgp: preference=signencrypt
Autocrypt: addr=melinda.shore@nomountain.net; prefer-encrypt=mutual; keydata= mQINBFppZ0gBEADFwxAi5szDOsM/6+CH4pbYTX7D+2gjLY4xEE7ydQcAF1WVLvcWXrpZM0GO /eA4N1PJ+OT5o8o9zVr7izMJkiLwcnQmxHdlYgZ9E+Cm8hDtMyEPBQwsYTkE5kpbGCmBAZ+W rHNHjvDg366uZQHzJejenB1/V4+rxMZs1Ak34Az2MVOz9Doecaiadpw3NpH3+1VXY/qilqnM lznINSANqD0ktxB/CVKjxl3/K5JnVnLp0h2kiUqt19hQPX2JmLcgaHzu+Ceb34/HZWhs0CiF c4auhQ3A9PcccOprQh6IGW1xo6RP3OEbeRFqeovgBWS+DIWzMIM0a3G2LDid0889QYwEv0zZ RPDCcF3g15mlkeUUmwKQ6eAagPyTqLtTiOKULqy9bQahyX2eqlySrF+HqlwGeNoG+A4l1Z2Y S7NCBLPIzUk2RuSKMBaKw86ORzvg2Advrw4bdv7kbDkArGzywky61SEB/q+GqR466mekXx2F O+m8RuoSnWrBsKvD/bhELHcneorIBleGz+VL7i5adU0rIydG3jPTfUeXoCZIeNx1LannxnAR ihKdh5+FE26WiiK6VmZWkvFjaPFwWGjvAsi82Pd9QgHhnG/XzINpXw/3HF4wtBTU5nIExMzC +FbJxCPq1kXpqSxJqg7hgUFvD5jUD9lpN5Br/S2dUgJj95bbPQARAQABtCxNZWxpbmRhIFNo b3JlIDxtZWxpbmRhLnNob3JlQG5vbW91bnRhaW4ubmV0PokCVAQTAQoAPgIbAwUJCWdTAAUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBE9oLZMqF5b4IPI0wN+4kXKadtuPBQJaaXRaAAoJ EN+4kXKadtuPVioP/3nVzx33yjiEtqLKTEHwofnLT15CV5wAcGa0DTbqgiomVKzSRkkhbF3Z KIHYrnjVpTcYJuW+PmFSIjNizNVr+vvjNP6ptRqx5orWmK4EBe/B9mrpmIshxUwkYr46uwN4 h06xJS3KCzhfhSsnesH5vlGBkUod0+nQhbSLyLRpxmaKaeAl4dxFSBLU0vUJMLH8PXTZVNof 5Yo+ThqCzu1pwOkBQ8gST2J6zdy4PjU9ENQ9RLAamlAG/6rGHEKLFcnUpEg7Tcu1hSzAsqR8 kjX2Prpu4A9DyLCjTOvfOPQa8WjZy18ZdYOxuPxdrTazeCRVJIvYRflhBCZb744jhMyfAiSW eckwRBVSCnBuvWBJl9Ua1wp8SOUXXhgGI8WGvSkvul6kKSkHQKDggd4cojAhxWLfvmjxn5pz 0BNbvrEBGqgWwO1ZMuJpmv3P8YK5Aytsl85NZoMMUJIDxEQhBUgYz5QTQANBKPi8RsfOntho rhzXLqnPPQcE4Xf9O9XIyy077F0JoyiPx74Zsl1dTxmT73pezpfhKUQR7/QlmJ/FAADpb6SO V0tlgBtR6FAZToBYPDiss57AcKM1zzyJ7sHIZkxQelykYSet6hp2WGcwMXQveWqFMQ4fiGQx XNEPO+KZKNj+0sfINzSLP88O5TniM/l/JrjZZNT/lVAQDTdkCBGyuQINBFppZ0gBEACgZuM1 8ghzSuhuv+n0kWyWCeEWrx9Ey03EgFj5alBt55+OLv3dOsdyBHJxjtd0cZS1XaKZlgr1YZ0O pQNv/Wyy8uSW2BZ6hyG1SKN9/1MmfJLNnjjxaBQP4yaMwDdS3wX7hoWY19IpVPZHYDR35FAg SnG/s6we+IOITM1TJoOJs4+ygeK5dC7LfRoj+lkEHYrTcglYVuwsyK2FNz/sF8kJW1fEZHM6 6phSbhCvwbECWbb4eDGXbKZY92W1RTQ5U5td8DMLXyYipQphrcoeRXpb18DbOnE0WwIQV0yB gc/rTiUt/wVjasd1RrsCPBQC/uJ+ZHknvr2MoxIWBBsRtKYHG66aOL+nDV8X1miuF6j4cztv gmdqrwPHpAKVxhfwd/G4suNBunYw4/kAV9b2+eidX5em3NtPPNl/qNjsmEHQGn/5JKRHRvQs 0yuigXDhN2N0keoHrbGCE8kyA/d83L7E9d95hsf3JxpRzmeaTze+NpcIaX5uXdKOaCBjLtx1 tOrDA4XX7Y3nY+waKZYa3RvC7yulFJiKfYWDSriWeQXcXj06p8H6vF6sy9LeX9xRRjTI7qDH FxwuMQIKGqgufXtxu0pxxcMqXTEUPZnxUWUvuFjjYvEmtO92+Ot/NuotV8JvRPwg2OnYjMJo dU1X7hzEs8djtgZG+t3FEGK3i1EJUQARAQABiQI8BBgBCgAmFiEET2gtkyoXlvgg8jTA37iR cpp2248FAlppZ0gCGwwFCQlnUwAACgkQ37iRcpp2248krg/9H896KtAQCAV0RcV3QqZ75iY5 pCxpRyxAaR0PjE5jiYV5gUHPCKtr9UPZt4Bi+bzNLQ2KJK6Rx4XNf5lQWopEo1IxtOiFPjkr QIpNkYmFWyOGpKpSIDhgsJpswZqxPDLpo+59GNlSUG6v3sMAnx+Gvtvqczkvg6UPDN/JYK75 BIGoCGZMyor1B0EmRYj98LdwjT95dQZXjZvWBDeIx+NxUZKoA7AlR/xgsN3PHGq4SApMLL0R /qbiLIzUPnTPt5sBs0peflVvMrtgIMiZ9FdYPE+VWy5+X2AmeFg6Zl5W76HQUP6eYZQV5abZ +iiW9lY1TmqsqpTIDu/ZMy7pLknxV5E1vQy+wsihluDYydaQ4HWoNaY7QFb+x7TsvjJRi+cH 7By4jxohTWUuaukuMmT0eEaesWJSraAmxsffqJwDpsi0chZskuXjEm9gX6rY7MhzOZl7Vz9F +6MYTtTmT1mpkLAMWf1/JuKUCfnSAHRlDxUOAG6QSJoHWAGqYy3XiF9bN63yQ6xllloSbbMv P9VW0e/iFKMKEIvfIvAg0IrlPcfKAGuuT1axwIU7da/N7LOcXyDDSEUuSzvXL/BkWyjxuLzd LY6eTvC6ZT/fA5iS/PAUj0WbrWNrHQtQ5OY2+al2v6JdLu/w6IZJCBpTosOAOzzmre+31fk1 HKwqd9xRxC8=
Message-ID: <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net>
Date: Sat, 25 May 2019 11:17:07 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="pXvGyk6cmVkL21Rw6Oq8n7dA57ryu5vHN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2mBFkKFxMscn0XdvnJ-wXU73OrM>
Subject: Re: [Add] [EXTERNAL] Re: Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 19:17:14 -0000

On 5/25/19 6:48 AM, Deen, Glenn (NBCUniversal) wrote:
> I don’t see this as equivalent to the trust mediation that browser
> makers do through their certificate root programs or security
> settings because those things are very much web application domain
> choices and are entirely appropriate to be controlled in the context
> of the web browser.   Those trust certificates are for web servers
> and applications, and so are in exactly the right place.

Yeah, but you can make the same case for name resolution.
It's certainly the case that some applications that run in
browsers have narrower security requirements around DNS
than others do, and right now there's no way for those
applications to discover whether or not their DNS queries
are protected.

But, I think the broader problem is that ISPs are not running
recursives that use encrypted transport, and because they're not
other folks are stepping up/in.  I suppose that in a better
world an endpoint would be able to check whether or not they
can protect DNS traffic to the default recursive and, if not,
fall back to one of {Google, Cloudflare, whomever} but that's
not where we are right now.

> In the case of browsers, there is an established means for the root
> list to be maintained securely, and to be update when needed.  That’s
> fundamental to the trust model working. If it were possible for this
> root list to be altered outside of that means and it’s associated
> integrity controls, then the trust model would be broken because it
> would be possible for unapproved roots to be installed.

It hasn't always been the case that browser root programs had
strict entry requirements, or that CAs were audited, or that
there were external mechanisms for misissuance detection.  Those
were added as problems were identified.  And, I'll note, that
the browsers are occasionally acting unilaterally around PKI
issues, as well - this situation with encrypted DNS is neither
unique nor isolated.

I do think part of the problem here is that for whatever reason
our community (the IETF) hasn't come to consensus on problems
related to trust in the DNS.  If you don't have a trustworthy
name resolution system you can't trust much else, either.  This
relates to both being able to get a correct answer that hasn't
been mucked with by a third party, and to privacy protection
of queries and responses.  It seems unsurprising to me that
browsers (and other application vendors) would respond to the
default unprotected DNS situation by doing something about it
themselves.

Melinda

-- 
Melinda Shore
melinda.shore@nomountain.net

Software longa, hardware brevis

v2.23.0 | Report a Bug | By Email