Re: [Add] Fwd: New Version Notification for draft-reddy-dprive-dprive-privacy-policy-00.txt

[tirumal reddy <kondtir@gmail.com>]

On Wed, 9 Oct 2019 at 15:05, Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 8 Oct 2019, tirumal reddy wrote:
>
> >       How and how would any enforcement system work for a variety of DNS
> >       providers all over the world? ISPs? hotels? coffeeshops? Mobile
> >       providers? Will there be an industry standard org? How will this
> >       not devolve into government sanctioned mandatory DNS providers on
> >       my mobile device?
> >
> > Users may or may not trust the attached network and the DNS server
> provided by the network (e.g, a public
> > network). It is similar to the way users disable VPN in specific trusted
> networks (e.g., Enterprise network)
> > and VPN is enabled by default in all other networks.
>
> The user can already do that, without any help from the local network.
> If someone configures a VPN or a DoT/DoH, they do not need the local
> network for anything except passing a captive portal. I don't understand
> what you are adding here.
>
> Trust relationships of networks are:
>
> 1) I don't need to trust them, so I don't
> 2) I am forced to trust them, so I do.
>
> In the case of an enterprise network like 2) they can already
> pre-install the CA certs I need to trust on connecting to the
> network (see the IETF network do something similar there)
>

I am referring to BYOD devices, BYOD will not have Enterprise root
certificate and cannot be provisioned with the Enterprise DoT/DoH server
using AD. The owner of the the BYOD has a choice whether to use the
Enterprise network provided DoT/DoH server or not.


>
> > No. If the privacy requirements of the endpoint are not met, the DNS
> client can discard using the discovered
> > DNS server in the attached network, and connect to a public DNS resolver
> meeting the endpoint privacy
> > preserving data policy requirements.
>
> Again, it is the other way around. Users should not need or want to
> trust the local network. My laptop mostly connects to completely unknown
> networks with zero trust _or_ a trusted enterprise network. What are
> these networks that a user should "trust to filter or log their DNS for
> them" ?
>

> > The proposed mechanism also helps the DNS client to automatically learn
> updates to the privacy claims by a DNS
> > server and avoids the need for users to periodically manually review the
> privacy statement.
>
> Again, this is fixing a problem that I do not think exists. Why should I
> trust or not trust this network with DNS to begin with? Their privacy
> policy update will not change that for me. Either, they were already too
> weak for me to trust, so I don't care about their DNS privacy policy
> update, or I trusted them already, in which case it seems I trust them
> more than my own trusted DNS - AKA I'm forced to trust them (an
> enterprise network).
>

I disagree, user needs to know whether his privacy requirements are met by
the local DNS server or public DNS server. If the public DNS server decides
to change the policy to sell user data to third-parties, the user would
want to move to a different DNS server.


>
> > The privacy policy information helps make the decision whether the DNS
> provider can be trusted or not.
>
> No it does not. It can only tell me when I for sure cannot trust them.
> Since I did not audit their logging, I can never be sure to trust them.
>

An end-user cannot audit the privacy claims by any DNS provider including
the public DNS revolvers, and can possibility rely on the audits performed
by third parties (similar to way VPN providers use third party audits).
How does the user know the public DNS server has not made false privacy
claims ?


>
> It's like saying a privacy policy will select whether I use HTTP:// or
> HTTPS://. That is not the question. The question is why would I ever
> use HTTP:// ?
>

> >       I'm still not convinced this statement is wrong. And additionally
> can
> >       see some serious harmful effects into mandatory censorship if this
> kind
> >       of system becomes mandatory on people's devices.
> >
> > I disagree, the proposal helps the user to choose a DNS server that best
> supports the desired privacy
> > policies.
>
> I either have a really good DNS provider that I fully trust up my
> sleeve, or I don't. If I do, I don't need the local network one.
> If I don't, I have no choice but the use the local network one.
>

Local DNS server for several reasons, blocking malware and phishing,
enforce MUD rules to only allow intended communications to and from the IoT
devices. Several other reasons like "CDN endpoint selection" are listed in
https://tools.ietf.org/html/draft-reid-doh-operator-00


>
> > DNS clients do not need to fallback to clear text DNS, and can use the
> DoT/DoH server provided by
> > the local network.
>
> Then why should I ever take a risk that this local network has a privacy
> policy that does not actually match its implementation?
>

Firefox falls back to clear text DNS because the local network has parental
control or DNS filtering. Android has an option to automatically use to the
local DoT server (opportunistic mode).


>
> > Further, it also provides a mechanism to securely signal to the DNS
> client that the
> > attached network performs DNS filtering.
>
> You cannot signal securely unless I have a trust anchor already on my
> device that would be used. If this is a CA-type store of hundreds of
> trust anchors, I cannot really trust them for this decision over a
> personally selected known safe choice.


You may want to re-look into the Security and Privacy considerations
sections, we are not suggesting to rely on the hundreds of trusted anchors
on the browser/OS.


> If it is enterprise specific,
> we already have mechanisms in place for securely obtaining updated DNS
> mechanisms. Like via VPN using RFC 8598.
>

No, it is not specific to Enterprise IT manged devices. Managed network
security can be provided by ISPs, Home router integrated with security
service, BYOD policies in Enterprise networks etc.

Cheers,
-Tiru


>
> Paul
>