Re: [Add] [EXTERNAL] Re: Browser Administrative Authority

["Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>]

Hi Melinda,

> On May 24, 2019, at 10:01 PM, Melinda Shore <melinda.shore@nomountain.net> wrote:
> 
> To be honest I think the framing is perhaps not particularly
> correct.  Right now browser vendors are mediating trust, anyway,
> through their root programs and other security policy enforcement
> mechanisms that are not being explicitly chosen by the user or
> the ISP.  I'm really not sure what to make of
> 
>    "The problem is that some of the browser makers proposals are now
>    changing this administrative authority hierarchy, but they haven’t
>    done the extra work of establishing administrative trust"
> 

I don’t see this as equivalent to the trust mediation that browser makers do through their certificate root programs or security settings because those things are very much web application domain choices and are entirely appropriate to be controlled in the context of the web browser.   Those trust certificates are for web servers and applications, and so are in exactly the right place.

DNS has traditionally been a network service and as such it’s configuration and settings have been a network level domain choice made by the device administrator.    While it is possible for the device administrator to choose to delegate network choices to the network, it always starts with the device administrator to make the choice.

In the case of browsers, there is an established means for the root list to be maintained securely, and to be update when needed.  That’s fundamental to the trust model working. If it were possible for this root list to be altered outside of that means and it’s associated integrity controls, then the trust model would be broken because it would be possible for unapproved roots to be installed.

By pulling the DNS up into the application settings, it’s also abandoning the security model for administration of those settings, the same as if the root certificates were pulled out and say placed into a simple file in the user’s file system.  

It’s the removal of information from its established management and protection context that causes the problem I pointed out.


> given the current state of the web PKI.  (Allowing, of course,
> that the current state of the web PKI may be the strongest
> argument against allowing browser vendors to own trust for
> name resolution.)

;)

> 
> I think the notion that they may be choosing a DNS resolver for web
> applications is not that much of a change from current practice.  I
> don't really love this but it's where we are at the moment.
> 
> I do, however, think that application authors understand their
> own security requirements better than ISPs do, and in that sense
> may be closer to the user's intentions than ISPs are (and indeed,
> user needs and ISP desires are often in conflict).  In the
> absence of some standard way of allowing applications to discover
> their security environment I'm pretty good (with reservations) with
> them choosing their own DNS resolver and DNS transport.

My analysis didn’t grant any implicit authority unto ISPs.   I don’t see this as the root debate here. Instead, it’s about that authority for making such choices starts with the device administrator, then the user, and only in cases where the administrator chooses to do so do the network’s provided settings come into play.

Also, when I say network settings I do not simply mean the ISP.  In my home network my router provides DNS settings that I as the router and administrator explicitly chose.  Yet, each device administrator can choose to set their own.     None of that is ISP controlled.

So this isn’t about the ISP vs browser application maker being more connected to the user’s wants,

However, with the current proposals of it being done by default at a browser app level using default settings pushed down by the application maker, I’m going to be in the position of having to watch the configuration of browser apps on each and every device that I manager, or provide support to (as I’m the IT support desk at home) to make my home setting desires match what the browser app uses, and I’m going to have to do it again and again at each update to ensure that the app didn’t change them again.  That’s a lot of work for users who want nothing more than to have their administrative choices respected. 


Regards, 
Glenn