Re: [Add] Browser Administrative Authority
Tom Ritter <tom@ritter.vg> Fri, 24 May 2019 19:23 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8895F120314 for <add@ietfa.amsl.com>; Fri, 24 May 2019 12:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxveGq0HUq4J for <add@ietfa.amsl.com>; Fri, 24 May 2019 12:23:43 -0700 (PDT)
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com [IPv6:2a00:1450:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AAC012030A for <add@ietf.org>; Fri, 24 May 2019 12:23:43 -0700 (PDT)
Received: by mail-wm1-x344.google.com with SMTP id e19so2594484wme.1 for <add@ietf.org>; Fri, 24 May 2019 12:23:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=a5nN8lD6O40q45ZwqedWK8bec1vcBAMZ3kUnK1gfUJA=; b=K4N4CWRXrw2sK4MVoiGsAMqAB16IMMd/4gyVZx7/9+s8WmhtqkzDIlJI9eVLRo0viF lQA5AiKqrhTjzZ+k70Vk989dbplJTUgVaNEp+R7IR137p82W+CBGfqzvz8XaqSFnnOef ZYC2HyFOw8ufEgr0bM6Vr5OdoQA+twGoEkx7s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=a5nN8lD6O40q45ZwqedWK8bec1vcBAMZ3kUnK1gfUJA=; b=ZmY2Y7HY4OLGt0/HI/qU6Ob7azuGpngyMP3BkEjjy7k3D4FEelQdl/WxfKW69xpHLs smiKZd3PFbKrhRfZpeOUlThb6BJ0mRwkqFHNdLccXyaPZtM6Va6NhBXzIdaCFOmQqvqJ uOtudpNaYie37Q1PX0mnJWYqaSFeUQwGSmzjhldIBcB35Wd/RYHrPPVKnO9CeCZKwbuy FF/afJz3j+TeJege0uar3lQOF2iDzq223SEirqY2isSxizP+1fk0G31h9O6wg/qkc7Ku Z23CnyAGTt62Mb+hB/fz+L/4GPtLBvW3ZRM7Qk3fa72GdZ1oD2DqU1M84uA8zfJ8kBUO op9g==
X-Gm-Message-State: APjAAAVJooFor0rDsfU9Dm7qeVqz2RpWkR7iIF1BvL7c12SpuQQdlu1M SBrC5gZ+KExWRLvlTuYoL4GmRboQbwr0x7iUTWI4GPEiZApEVg==
X-Google-Smtp-Source: APXvYqwBRjoBDgwn7bln/HrmEiEXBdQ4IwtfMdYqYEIkcVpuUWY/zxjahi39d2fjB4smn6QnfksxPLbVkzf7adKPlNk=
X-Received: by 2002:a7b:c936:: with SMTP id h22mr298715wml.71.1558725821552; Fri, 24 May 2019 12:23:41 -0700 (PDT)
MIME-Version: 1.0
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <07A89E54-2DFC-4B5A-9784-610BBE7D2BB2@nostrum.com> <125917581.1152.1558717017241@appsuite-gw4.open-xchange.com> <MN2PR21MB1213868D0BC3575C2589B670FA020@MN2PR21MB1213.namprd21.prod.outlook.com>
In-Reply-To: <MN2PR21MB1213868D0BC3575C2589B670FA020@MN2PR21MB1213.namprd21.prod.outlook.com>
From: Tom Ritter <tom@ritter.vg>
Date: Fri, 24 May 2019 19:23:29 +0000
Message-ID: <CA+cU71mw77uS-BROWrFsGg9OSPEfAVk71UnzgL_5wWdM_znHnw@mail.gmail.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
Cc: "Cook, Neil" <neil.cook=40open-xchange.com@dmarc.ietf.org>, Adam Roach <adam@nostrum.com>, "add@ietf.org" <add@ietf.org>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/H9K-ljVLpmaITm58BdgqsScpcFg>
Subject: Re: [Add] Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 19:23:47 -0000
"imagine a parent who configures content controls through their ISP" Okay; but then this isn't a device administrator. This is a network administrator. (And whether it's enterprise or not isn't really relevant, no feature is restricted to enterprise use.) The network should be considered hostile until configured otherwise because... the network usually is hostile. Or at least it's untrusted. Every cellular connection; every coffee shop, every store's free wifi, every friend's network you connect to, every AirBnB wireless, every hotel... Percentage-wise, the number of untrusted networks the average user connects to dwarfs the number of trusted networks (even if the percentage of time spent on untrusted networks is dwarfed by the percentage spent on trusted networks.) Device administration is the appropriate answer here - it's the appropriate trust boundary for users. An administrator of a device is a person or organization the user of that device knows and understands controls it. For the network to be able to override and disable users' security and privacy controls is inappropriate - for example we don't allow networks to strip TLS. UNLESS, of course, the device is configured to allow such activity. -tom On Fri, 24 May 2019 at 17:53, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote: > > Glenn, that was a great write-up. Thanks for sharing. > > To highlight Neil's point about this not being enterprise only: imagine a parent who configures content controls through their ISP. In a world where the browser defaults the user into using the browser's own DNS (DoH or otherwise) while bypassing system policies, children have a no effort needed sidestep to parental controls and it won't be immediately obvious to the parent why their controls don't work. > > I don't think asking the platform and other apps on the platform to all be aware of one another's policies is scalable. For the same reasons Glenn gave, I think apps should defer to the platform, redirecting users to make changes there rather than making changes within their own space. > > Thanks, > Tommy > > ________________________________ > From: Add <add-bounces@ietf.org> on behalf of Cook, Neil <neil.cook=40open-xchange.com@dmarc.ietf.org> > Sent: Friday, May 24, 2019 9:56 AM > To: Adam Roach > Cc: add@ietf.org; Deen, Glenn (NBCUniversal) > Subject: Re: [Add] Browser Administrative Authority > > Glenn’s point is not just about enterprises. It applies to consumer use cases as well. > > Neil > > Sent from my iPhone > > On 24 May 2019, at 16:58, Adam Roach <adam@nostrum.com> wrote: > > This is called “enterprise policy”, and — as far as I know — all major browsers honor it. > > See, e.g., https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise > > /a > > On May 24, 2019, at 09:48, Deen, Glenn (NBCUniversal) <Glenn.Deen@nbcuni.com> wrote: > > HI everyone, > > > > I’ve been thinking though some of the issues with the proposal DoH deployment in browsers. > > > > A big part of the tug of war here is the authority precedence for advanced security and network settings that should be followed. > > > > Historically, it’s been at the device level – which meant the device administrator, which could choose delegate choices to a specific DNS resolver operator, or to the Network DHCP provided settings. > > > > Now the browser is seeking to adding itself into the authority chain for those settings. The trouble being that this is a major change to the administrative trust model. > > > > To date, browser settings have been limited to rendering options, some basic certificate options, addons, and scripting language choices. Advance security and trust has remained with the device administrator. Adding the browser to the administrative chain so that it can control advanced security and network settings introduces a problem because the browser does not have an administrative level authority that is as high as the device administrator. > > > > Current hierarchy (top has more authority) > > > > Device Administrator -- device authority for security, network, trust settings > > Network Administrator -- provides recommend network settings to devices > > Resolver Administrator -- can provide filtering > > Browser Maker -- provides core trusted certificate list > > Browser User -- can set rendering options, can make limited certificate choices, plugins. – Impact is limited to the browser sandbox > > > > > > The problem is that some of the browser makers proposals are now changing this administrative authority hierarchy, but they haven’t done the extra work of establishing administrative trust and working through the consequences of that such as a child being able to change the browser DNS settings and bypass both resolver, Network, and even OS based restrictions. > > > > So they are changing it to: > > > > Browser Maker -- provides default DNS resolver and DNS Protocol choices. > > Browser User -- can set DNS resolver and DNS protocol > > Device Administrator -- device authority for security, network, trust settings > > Network Administrator -- provides recommend network settings to devices > > Resolver Administrator -- can provide filtering > > > > > > > > The path to fixing this maybe to see if there is a way to express the administrative hierarchy that respects the intentions of the device administrator on what hierarchy they want to accept/delegate decisions to. > > > > It maybe that what’s needed is a means to communicate to the browser what authority the device administrator wants it to follow, since in the end the device owner should be in charge. > > > > > > -glenn > > > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- Re: [Add] Browser Administrative Authority Tom Ritter
- [Add] Browser Administrative Authority Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Adam Roach
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] Browser Administrative Authority Tom Ritter
- Re: [Add] Browser Administrative Authority Tommy Jensen
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] Browser Administrative Authority Melinda Shore
- Re: [Add] Browser Administrative Authority Cook, Neil
- Re: [Add] Browser Administrative Authority Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Melinda Shore
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Ebersman
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Erik Kline
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Stephen Farrell
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Christian Huitema
- Re: [Add] Browser Administrative Authority Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Vittorio Bertola
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- [Add] publication of DoH Resolver policies Jim Reid
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Deen, Glenn (NBCUniversal)
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Neil Cook
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… tirumal reddy
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Paul Wouters
- Re: [Add] publication of DoH Resolver policies Livingood, Jason
- Re: [Add] publication of DoH Resolver policies Winfield, Alister
- Re: [Add] publication of DoH Resolver policies Petr Špaček
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] publication of DoH Resolver policies tirumal reddy
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… Winfield, Alister
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy
- Re: [Add] Browser Administrative Authority Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: Browser Administrative A… Livingood, Jason
- Re: [Add] [EXTERNAL] Re: publication of DoH Resol… tirumal reddy