IETF Logo Mail Archive

Re: [Add] Fwd: New Version Notification for draft-reddy-dprive-dprive-privacy-policy-00.txt

Michael Richardson <mcr@sandelman.ca> Mon, 07 October 2019 12:25 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B575712007C for <add@ietfa.amsl.com>; Mon, 7 Oct 2019 05:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9qFTGnk37GD for <add@ietfa.amsl.com>; Mon, 7 Oct 2019 05:25:24 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B80B312004E for <add@ietf.org>; Mon, 7 Oct 2019 05:25:23 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [80.233.45.41]) by relay.sandelman.ca (Postfix) with ESMTPS id 2FCBF1F456; Mon, 7 Oct 2019 12:25:21 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 6CFDE2B03; Mon, 7 Oct 2019 11:58:19 +0200 (CEST)
From: Michael Richardson <mcr@sandelman.ca>
To: ADD Mailing list <add@ietf.org>
cc: Paul Wouters <paul@nohats.ca>
In-reply-to: <alpine.LRH.2.21.1910051351420.26913@bofh.nohats.ca>
References: <157009854908.16293.4269133049514081713.idtracker@ietfa.amsl.com> <CAFpG3gdpYASvfz_ey=fsh6+8LQ11EJGyU-dVxH7_1QmVeiAQKg@mail.gmail.com> <alpine.LRH.2.21.1910051351420.26913@bofh.nohats.ca>
Comments: In-reply-to Paul Wouters <paul@nohats.ca> message dated "Sat, 05 Oct 2019 13:58:01 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Mon, 07 Oct 2019 11:58:19 +0200
Message-ID: <28989.1570442299@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hFZnupKGBn-V4XLx7RfeW_eeFC8>
X-Mailman-Approved-At: Mon, 07 Oct 2019 07:06:46 -0700
Subject: Re: [Add] Fwd: New Version Notification for draft-reddy-dprive-dprive-privacy-policy-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 12:25:26 -0000

Paul Wouters <paul@nohats.ca> wrote:
    >> We have
    >> published https://tools.ietf.org/html/draft-reddy-dprive-dprive-privacy-policy-00 that
    >> discusses a mechanism for the DNS server to communicate its
    >> cryptographically signed privacy policy information to a DNS
    >> client. By evaluating the DNS privacy policy and the signatory, the
    >> DNS client can choose to  select or avoid a DoT/DoH server if it
    >> doesn't comply with the client's privacy expectations.

    > Section 10 Security Considerations describes well why I think this is
    > not a good idea. Publishing a privacy policy in a computer consumable
    > way has no relationship to the actual DNS server's privacy policy used.

    > This is not a technical wire problem to solve with an RFC. It is a
    > social-economic issue. Can we trust vendor X? And vendor X making
    > claims in JSON about this isn't useful from a technical point of view,
    > no matter how or where and with what such statements are (self)signed.

Of course vendor X probably can't say anything trust-worthy about itself.
Depending upon one's relationship with X one may be in a position to believe
statements from it and take appropriate action.  For instance, if X is your
employer and your BYOD is paying attention to this statement, then you might
decide to refrain from visiting NSFW site FOO. Or decide to use LTE.

But, we anticipate that vendor X would have the implementation of their
policy reviewed regularly by some other endorser Y.  We have been in contact
with a few entities that have done these kinds of reviews of DoT systems in
the past, but at this point I don't think we have a shared understanding of
goals yet. 

Section 6...

   The PAT is cryptographically signed by the domain hosting the DNS
   server and OPTIONALLY BY A THIRD PARTY WHO PERFORMED PRIVACY AND
   SECURITY AUDIT OF THE DNS SERVER.  The privacy policy information
   will be attested using "Organization Validation" (OV) or "Extended
   Validation" (EV) certificates to avoid bad actors taking advantage of
   this mechanism to advertise DNS-over-TLS and DNS-over-HTTPS servers
   for illegitimate and fraudulent purposes meant to trick DNS clients
   into believing that they are using a legitimate DNS-over-TLS or DNS-
   over-HTTPS server hosted to provide privacy for DNS transactions.
   Alternatively, the DNS client will have to be configured to trust the
   leaf of the signer of the PAT object.  That is, trust of the signer
   MUST NOT be determined by validating the signer via the OS or browser
   trust chain because that would allow any arbitrary entity to operate
   a DNS server and assert any sort of privacy policy.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email