Re: [Add] [EXTERNAL] Re: Browser Administrative Authority
Melinda Shore <melinda.shore@nomountain.net> Sat, 25 May 2019 19:17 UTC
Return-Path: <melinda.shore@nomountain.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B711200FD for <add@ietfa.amsl.com>; Sat, 25 May 2019 12:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nomountain-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7M6rTjcRh-Z for <add@ietfa.amsl.com>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE0BD1200B6 for <add@ietf.org>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d21so5476590plr.3 for <add@ietf.org>; Sat, 25 May 2019 12:17:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomountain-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=QbgsYVQWMaUGgxuoa7HAOI7N8CQIDA5zC6ck2SE6uxU=; b=aMbclumMDV7bLZtn8JFIeGuVinUM/eNgVeiWgbyqAi5cEQMKT+qqIAzwCb4I7y83Sh thwZZn+MsEEgdbz+YWYCGlvCjiL0TtEIpxl/1Op/ZhOCjzz1Jtf52g14RSuS3ApI/bh6 D1Q57Btvr2H2UpE/owvuRoSQrouIGN1cCU68j0kDhn4jOkEAtoCUI9tiHFB0aZzDsDR3 T3NnMm8099H8Y8U95vpXDx3s9d9HsTbxHgqdxy0i1MM4Saf3UFr69a9PFzsNmPsqKCsE 49/Lj1fzeVoG+Hur73JeafvFO0wHzmljLSXzxudRGb/cdMUuDlZokvf7HuTb9rQjLVm+ GAKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=QbgsYVQWMaUGgxuoa7HAOI7N8CQIDA5zC6ck2SE6uxU=; b=lwiMqimZMU6pJPjAI+wFkRvgxrodeJOkMh7yJKNP8D3FqxLxYrutu6ERFRTedAX8R/ WEa3iF4xGajJXk16qDw+HSIDv9M1e2uV/ZPT4RaQd+KbPNoPnWmLnH9U5e1ykpV2qOIV Bfk7qWx1Kz+yP7ZKw5as/tw2Xel7833XlRv/PmkJ4LoVp69RxekRxDADEbU9O4z5Dg5o p1PdIgtUo9LfsNhwc06apW50hS7BkgQxuLD7nIROrK72v82PGQOcVqahmIhHCckQ2nWy W089XpbrYdab1bEs1EqB+hJC0YtHamKlZR7OAMifdkKMia/WfV/KmV8smB69YUryki/X ABvQ==
X-Gm-Message-State: APjAAAVd1+c+dFkWGJIdoCGGZIdApWYs+vqNn6KjFa92zQdn1fROUeDD np/Bk212EvTTVEulMgs/A/aJRnV9uQ==
X-Google-Smtp-Source: APXvYqxo43YqIzGNYGeNyo1aUWzc10mqFTIJo+18aCo2w1hE9vkyaK61+HmYsdscBdmh/Yq0F1PLHg==
X-Received: by 2002:a17:902:a405:: with SMTP id p5mr13471170plq.51.1558811831052; Sat, 25 May 2019 12:17:11 -0700 (PDT)
Received: from aspen.local (63-140-65-22.dynamic.lte.acsalaska.net. [63.140.65.22]) by smtp.gmail.com with ESMTPSA id c185sm6774086pfc.64.2019.05.25.12.17.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 May 2019 12:17:10 -0700 (PDT)
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: "add@ietf.org" <add@ietf.org>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <410f4e4d-aee0-d679-b454-6576de90b21a@nomountain.net> <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com>
From: Melinda Shore <melinda.shore@nomountain.net>
Openpgp: preference=signencrypt
Autocrypt: addr=melinda.shore@nomountain.net; prefer-encrypt=mutual; keydata= mQINBFppZ0gBEADFwxAi5szDOsM/6+CH4pbYTX7D+2gjLY4xEE7ydQcAF1WVLvcWXrpZM0GO /eA4N1PJ+OT5o8o9zVr7izMJkiLwcnQmxHdlYgZ9E+Cm8hDtMyEPBQwsYTkE5kpbGCmBAZ+W rHNHjvDg366uZQHzJejenB1/V4+rxMZs1Ak34Az2MVOz9Doecaiadpw3NpH3+1VXY/qilqnM lznINSANqD0ktxB/CVKjxl3/K5JnVnLp0h2kiUqt19hQPX2JmLcgaHzu+Ceb34/HZWhs0CiF c4auhQ3A9PcccOprQh6IGW1xo6RP3OEbeRFqeovgBWS+DIWzMIM0a3G2LDid0889QYwEv0zZ RPDCcF3g15mlkeUUmwKQ6eAagPyTqLtTiOKULqy9bQahyX2eqlySrF+HqlwGeNoG+A4l1Z2Y S7NCBLPIzUk2RuSKMBaKw86ORzvg2Advrw4bdv7kbDkArGzywky61SEB/q+GqR466mekXx2F O+m8RuoSnWrBsKvD/bhELHcneorIBleGz+VL7i5adU0rIydG3jPTfUeXoCZIeNx1LannxnAR ihKdh5+FE26WiiK6VmZWkvFjaPFwWGjvAsi82Pd9QgHhnG/XzINpXw/3HF4wtBTU5nIExMzC +FbJxCPq1kXpqSxJqg7hgUFvD5jUD9lpN5Br/S2dUgJj95bbPQARAQABtCxNZWxpbmRhIFNo b3JlIDxtZWxpbmRhLnNob3JlQG5vbW91bnRhaW4ubmV0PokCVAQTAQoAPgIbAwUJCWdTAAUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBE9oLZMqF5b4IPI0wN+4kXKadtuPBQJaaXRaAAoJ EN+4kXKadtuPVioP/3nVzx33yjiEtqLKTEHwofnLT15CV5wAcGa0DTbqgiomVKzSRkkhbF3Z KIHYrnjVpTcYJuW+PmFSIjNizNVr+vvjNP6ptRqx5orWmK4EBe/B9mrpmIshxUwkYr46uwN4 h06xJS3KCzhfhSsnesH5vlGBkUod0+nQhbSLyLRpxmaKaeAl4dxFSBLU0vUJMLH8PXTZVNof 5Yo+ThqCzu1pwOkBQ8gST2J6zdy4PjU9ENQ9RLAamlAG/6rGHEKLFcnUpEg7Tcu1hSzAsqR8 kjX2Prpu4A9DyLCjTOvfOPQa8WjZy18ZdYOxuPxdrTazeCRVJIvYRflhBCZb744jhMyfAiSW eckwRBVSCnBuvWBJl9Ua1wp8SOUXXhgGI8WGvSkvul6kKSkHQKDggd4cojAhxWLfvmjxn5pz 0BNbvrEBGqgWwO1ZMuJpmv3P8YK5Aytsl85NZoMMUJIDxEQhBUgYz5QTQANBKPi8RsfOntho rhzXLqnPPQcE4Xf9O9XIyy077F0JoyiPx74Zsl1dTxmT73pezpfhKUQR7/QlmJ/FAADpb6SO V0tlgBtR6FAZToBYPDiss57AcKM1zzyJ7sHIZkxQelykYSet6hp2WGcwMXQveWqFMQ4fiGQx XNEPO+KZKNj+0sfINzSLP88O5TniM/l/JrjZZNT/lVAQDTdkCBGyuQINBFppZ0gBEACgZuM1 8ghzSuhuv+n0kWyWCeEWrx9Ey03EgFj5alBt55+OLv3dOsdyBHJxjtd0cZS1XaKZlgr1YZ0O pQNv/Wyy8uSW2BZ6hyG1SKN9/1MmfJLNnjjxaBQP4yaMwDdS3wX7hoWY19IpVPZHYDR35FAg SnG/s6we+IOITM1TJoOJs4+ygeK5dC7LfRoj+lkEHYrTcglYVuwsyK2FNz/sF8kJW1fEZHM6 6phSbhCvwbECWbb4eDGXbKZY92W1RTQ5U5td8DMLXyYipQphrcoeRXpb18DbOnE0WwIQV0yB gc/rTiUt/wVjasd1RrsCPBQC/uJ+ZHknvr2MoxIWBBsRtKYHG66aOL+nDV8X1miuF6j4cztv gmdqrwPHpAKVxhfwd/G4suNBunYw4/kAV9b2+eidX5em3NtPPNl/qNjsmEHQGn/5JKRHRvQs 0yuigXDhN2N0keoHrbGCE8kyA/d83L7E9d95hsf3JxpRzmeaTze+NpcIaX5uXdKOaCBjLtx1 tOrDA4XX7Y3nY+waKZYa3RvC7yulFJiKfYWDSriWeQXcXj06p8H6vF6sy9LeX9xRRjTI7qDH FxwuMQIKGqgufXtxu0pxxcMqXTEUPZnxUWUvuFjjYvEmtO92+Ot/NuotV8JvRPwg2OnYjMJo dU1X7hzEs8djtgZG+t3FEGK3i1EJUQARAQABiQI8BBgBCgAmFiEET2gtkyoXlvgg8jTA37iR cpp2248FAlppZ0gCGwwFCQlnUwAACgkQ37iRcpp2248krg/9H896KtAQCAV0RcV3QqZ75iY5 pCxpRyxAaR0PjE5jiYV5gUHPCKtr9UPZt4Bi+bzNLQ2KJK6Rx4XNf5lQWopEo1IxtOiFPjkr QIpNkYmFWyOGpKpSIDhgsJpswZqxPDLpo+59GNlSUG6v3sMAnx+Gvtvqczkvg6UPDN/JYK75 BIGoCGZMyor1B0EmRYj98LdwjT95dQZXjZvWBDeIx+NxUZKoA7AlR/xgsN3PHGq4SApMLL0R /qbiLIzUPnTPt5sBs0peflVvMrtgIMiZ9FdYPE+VWy5+X2AmeFg6Zl5W76HQUP6eYZQV5abZ +iiW9lY1TmqsqpTIDu/ZMy7pLknxV5E1vQy+wsihluDYydaQ4HWoNaY7QFb+x7TsvjJRi+cH 7By4jxohTWUuaukuMmT0eEaesWJSraAmxsffqJwDpsi0chZskuXjEm9gX6rY7MhzOZl7Vz9F +6MYTtTmT1mpkLAMWf1/JuKUCfnSAHRlDxUOAG6QSJoHWAGqYy3XiF9bN63yQ6xllloSbbMv P9VW0e/iFKMKEIvfIvAg0IrlPcfKAGuuT1axwIU7da/N7LOcXyDDSEUuSzvXL/BkWyjxuLzd LY6eTvC6ZT/fA5iS/PAUj0WbrWNrHQtQ5OY2+al2v6JdLu/w6IZJCBpTosOAOzzmre+31fk1 HKwqd9xRxC8=
Message-ID: <9ad7aa89-d751-e4c6-dede-e9c22faf6d20@nomountain.net>
Date: Sat, 25 May 2019 11:17:07 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <76EF5603-618C-4A73-A4F9-7489B73B0757@nbcuni.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="pXvGyk6cmVkL21Rw6Oq8n7dA57ryu5vHN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/2mBFkKFxMscn0XdvnJ-wXU73OrM>
Subject: Re: [Add] [EXTERNAL] Re: Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 19:17:14 -0000
On 5/25/19 6:48 AM, Deen, Glenn (NBCUniversal) wrote: > I don’t see this as equivalent to the trust mediation that browser > makers do through their certificate root programs or security > settings because those things are very much web application domain > choices and are entirely appropriate to be controlled in the context > of the web browser. Those trust certificates are for web servers > and applications, and so are in exactly the right place. Yeah, but you can make the same case for name resolution. It's certainly the case that some applications that run in browsers have narrower security requirements around DNS than others do, and right now there's no way for those applications to discover whether or not their DNS queries are protected. But, I think the broader problem is that ISPs are not running recursives that use encrypted transport, and because they're not other folks are stepping up/in. I suppose that in a better world an endpoint would be able to check whether or not they can protect DNS traffic to the default recursive and, if not, fall back to one of {Google, Cloudflare, whomever} but that's not where we are right now. > In the case of browsers, there is an established means for the root > list to be maintained securely, and to be update when needed. That’s > fundamental to the trust model working. If it were possible for this > root list to be altered outside of that means and it’s associated > integrity controls, then the trust model would be broken because it > would be possible for unapproved roots to be installed. It hasn't always been the case that browser root programs had strict entry requirements, or that CAs were audited, or that there were external mechanisms for misissuance detection. Those were added as problems were identified. And, I'll note, that the browsers are occasionally acting unilaterally around PKI issues, as well - this situation with encrypted DNS is neither unique nor isolated. I do think part of the problem here is that for whatever reason our community (the IETF) hasn't come to consensus on problems related to trust in the DNS. If you don't have a trustworthy name resolution system you can't trust much else, either. This relates to both being able to get a correct answer that hasn't been mucked with by a third party, and to privacy protection of queries and responses. It seems unsurprising to me that browsers (and other application vendors) would respond to the default unprotected DNS situation by doing something about it themselves. Melinda -- Melinda Shore melinda.shore@nomountain.net Software longa, hardware brevis
- Re: [Add] Browser Administrative Authority Tom Ritter
- [Add] Browser Administrative Authority Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Adam Roach
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] Browser Administrative Authority Tom Ritter
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Melinda Shore
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Melinda Shore
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Erik Kline
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Christian Huitema
- Re: [Add] Browser Administrative Authority Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- [Add] publication of DoH Resolver policies Jim Reid
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Neil Cook
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] publication of DoH Resolver policies Livingood, Jason
- Re: [Add] publication of DoH Resolver policies Winfield, Alister
- Re: [Add] publication of DoH Resolver policies Petr Špaček
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… Winfield, Alister
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy
- Re: [Add] Browser Administrative Authority Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy