IETF Logo Mail Archive

Re: [Add] Browser Administrative Authority

"Cook, Neil" <neil.cook@open-xchange.com> Fri, 24 May 2019 16:57 UTC

Return-Path: <neil.cook@open-xchange.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71481201CF for <add@ietfa.amsl.com>; Fri, 24 May 2019 09:57:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w95CpiqUep6j for <add@ietfa.amsl.com>; Fri, 24 May 2019 09:57:01 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9EED120186 for <add@ietf.org>; Fri, 24 May 2019 09:57:00 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 5F6736A30C; Fri, 24 May 2019 18:56:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1558717017; bh=HwVOkrq8suDg7Z0yd+f+ONwwMlxz28L8r7nbRqxsF8I=; h=From:Subject:Date:References:To:In-Reply-To:Cc:From; b=qo2HMaSJ/Znv0b1Rluy7R5JImiomifOiGl9icmsRsIg5mMid/G6+BU0NzCso759x6 cw//k8Aopl8yMn7CQmfYgD31M9sY6rjwDiuI6ZvsbnrVZ2ykzLSvRa3ctj2O6IFndK ytaoUTIwAz3hNAXZxrToOkf6NKSX94+amnNJakUluJmudHcpa05UnPrDUvJoHSwv8o F2aREdLCO3k5E3PvtoqP7yWtjsMWNs5Nb1zcOROmIW8YWjdo6xkkRWAsvrvI/kbGRM rMcIHL4syHYsG+nq4z9SAFR1sBf7zpMz/ReBt1df1IOuyruyEEnpgZEaiaf3Pw89fn cDRWxw9HmsnMQ==
Received: from appsuite-gw4.open-xchange.com (appsuite-gw4.open-xchange.com [10.20.28.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 4C0603C0316; Fri, 24 May 2019 18:56:57 +0200 (CEST)
X-Header: Open-Xchange USM Mailer (USM Version: 7.10.2-2, EAS Version: 7.10.2-1, Build d17f7426766e7d3851e61d3f8794f10d65e74221)
Content-Type: multipart/alternative; boundary="Apple-Mail-55556EB4-B3CB-404E-9A8D-EF7E8305FD03"
Content-Transfer-Encoding: 7bit
From: "Cook, Neil" <neil.cook@open-xchange.com>
Mime-Version: 1.0
Message-ID: <125917581.1152.1558717017241@appsuite-gw4.open-xchange.com>
Date: Fri, 24 May 2019 17:56:56 +0100
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <07A89E54-2DFC-4B5A-9784-610BBE7D2BB2@nostrum.com>
To: Adam Roach <adam@nostrum.com>
In-Reply-To: <07A89E54-2DFC-4B5A-9784-610BBE7D2BB2@nostrum.com>
Cc: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, "add@ietf.org" <add@ietf.org>
X-Mailer: Open-Xchange Mailer v7.10.2-Rev4
X-Originating-Client: USM-EAS
Autocrypt: addr=neil.cook@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFY4uCMBCACanbgJRs8WrxZZmtPZEe1xEEaVXz2g4rs6H898mQ2bsSa3NmeyfHrY/C7cy9iVpOE Al5GQBmKnTx0mYe0Fm8KZYBh895lpGz1OkV8z4N+7fvYpkeiYSUrwmdxGyWm4/Ol4rWieBXUqSpQl1a O9dRC9YUDx6wE2kvUcT35y9PpsYOgZvmzNZ61NsQNemLeVnWCk2dWvF8BC63vRPzKNnnS1KSj7yY12X FiVFqyuuWC4U0w8xgmkw1QEGXi9lEjnq5nh2LP3+MhSS0SQUg4K/NQEFXxoe4Yi9WghC37Yfl58EGxy JSGNHruwJuHTTWjC0xPN6tL/iEg2u8wy7blFSqAlABEBAAG0J0Nvb2ssIE5laWwgPG5laWwuY29va0B vcGVuLXhjaGFuZ2UuY29tPokBQAQTAQIAKgQLCQgHBhUIAgkKCwUWAgMBAAKeAQIbAwWJEswDAAUDAA AAAAWCVji4IwAKCRCqPocTiyIWJ8ifB/4r81q323KtGT/g3UpKXd+WIo5g6P5LRvaHcY0gWaT9RbRlg JfvbjXN2oY9HFE0PQBPpFozBvEVe9dtt0MROW5wWRygntyI5ROvEsD9I91xOIqcrEBpkCEFFeyqbq8+ +Yw5k8+IFIEFduopookBbmO3/gbMxkXFJ/cIh+OUWCIxV/kphlgJCGavwJq00Zo42SzMF42u5C63yHn kfT6zSQU0Y9z26FW/tyq6O1eI9aUAcaiMxLCAyR8pD+Dl8jaFPxbS7hyAk3srrA9dXvuL3mw4w6uEiW FUkuZ6onolSXQhZCUQ6+7y51f2XfbEH/gwWl8uDMc6IlunyZPZljvzEx9buQENBFY4uCMBCACbgNhut /V5nDmAh1sD1fyg1NBK8/NBuv24HhrdlEYuupU0ByS5Y4qhi+8ptu7d5vYNgGTbptZuob8Y4QEZS1BR EI7shZozYjsJjSzmHtnM+A+G0dSsXCaSKoTppsYL67sM1Cs5goZjsHnbIXDJi8SuvXtnTYxgxgGPLpU Rtci4LGKYksGEGy7q+hGvMA3KNSSZAu1OOwwLE71/E12VgXWWW7NuaJs67qLBtXcc3XiyEn2tCHdyTx yIl8ucMieNhkZt0jAkXgH+wAV71OyrjHBOWdsm+giHH70aLeZyz+x5D+FEOgh3inwYnIXASdwEDXT+2 lb+IbqjLhkYx7MoKfajABEBAAGJATEEGAECABsFAlY4uCMCGwwECwkIBwYVCAIJCgsFCRLMAwAACgkQ qj6HE4siFid2cQf9G6sstAGA9CBNOWujVe/8YEFYNOSut5upwIRe50/GcBhEoh6p6sMIesaGEwsvwyh V212cpXyi7pLO//jN+swOjVGazz68CRyFLAx8Z6Uyyp5kbj/tnlC5mqoa6KZL36VZTNF3ow0fEm5qNq VD59BxCpOei8r9mMeM4b7rji0lBJC3f6d5hZos9xmCx9Z6ynvWM8nD/bk6XMUKTUEuXr0ESMTkSIXUe O2RYsDHHyrkolWfrJ3npSFaZ4YI7/vSfsTVKgbcVqGZ7Oz3cGeR4vT+9V2MySL9dJr5TFmubPxCVzyw iFyqDh51hDl/oTgzn0OJ2A98hvdCWJODbATdQzExVQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/UIqbZdS81pcF1h7Z-qQ0LwKXZbs>
Subject: Re: [Add] Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 16:57:04 -0000

Glenn’s point is not just about enterprises. It applies to consumer use cases as well.

Neil

Sent from my iPhone

> On 24 May 2019, at 16:58, Adam Roach <adam@nostrum.com> wrote:
> 
> This is called “enterprise policy”, and — as far as I know — all major browsers honor it. 
> 
> See, e.g., https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise
> 
> /a
> 
>> On May 24, 2019, at 09:48, Deen, Glenn (NBCUniversal) <Glenn.Deen@nbcuni.com> wrote:
>> 
>> HI everyone,
>>  
>> I’ve been thinking though some of the issues with the proposal DoH deployment in browsers.
>>  
>> A big part of the tug of war here is  the authority precedence for advanced security and network settings that should be followed.    
>>  
>> Historically, it’s been at the device level – which meant the device administrator, which could choose delegate choices to a specific DNS resolver operator, or to the Network DHCP provided settings.     
>>  
>> Now the browser is seeking to adding itself into the authority chain for those settings. The trouble being that this is a major change to the administrative trust model.
>>  
>> To date, browser settings have been limited to rendering options, some basic certificate options, addons, and scripting language choices.    Advance security and trust has remained with the device administrator.     Adding the browser to the administrative chain so that it can control advanced security and network settings introduces a problem because the browser does not have an administrative level authority that is as high as the device administrator.
>>  
>> Current hierarchy (top has more authority)
>>  
>>               Device Administrator       -- device authority for security, network, trust settings
>>               Network Administrator     -- provides recommend network settings to devices
>>               Resolver Administrator    -- can provide filtering
>>               Browser  Maker               -- provides core trusted certificate list
>>               Browser User                  -- can set rendering options, can make limited certificate choices, plugins.  – Impact is limited to the browser sandbox
>>  
>>  
>> The problem is that some of the browser makers proposals are now changing this administrative authority hierarchy, but they haven’t done the extra work of establishing administrative trust and working through the consequences of that such as a child being able to change the browser DNS settings and bypass both resolver, Network, and even OS based restrictions.
>>  
>> So they are changing it to:
>>  
>>               Browser Maker                -- provides default DNS resolver and DNS Protocol choices.
>>               Browser User                  -- can set DNS resolver and DNS protocol
>>               Device Administrator       -- device authority for security, network, trust settings
>>               Network Administrator     -- provides recommend network settings to devices
>>               Resolver Administrator    -- can provide filtering
>>  
>>  
>>  
>> The path to fixing this maybe to see if there is a way to express the administrative hierarchy that respects the intentions of the device administrator on what hierarchy they want to accept/delegate decisions to.
>>  
>> It maybe that what’s needed is a means to communicate to the browser what authority the device administrator wants it to follow, since in the end the device owner should be in charge.
>>  
>>  
>> -glenn
>>  
>> -- 
>> Add mailing list
>> Add@ietf.org
>> https://www.ietf.org/mailman/listinfo/add
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email