IETF Logo Mail Archive

Re: [Add] ADD Requirements Draft

Tommy Pauly <tpauly@apple.com> Thu, 03 September 2020 15:02 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 646B73A0D71 for <add@ietfa.amsl.com>; Thu, 3 Sep 2020 08:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUqrp98tseHC for <add@ietfa.amsl.com>; Thu, 3 Sep 2020 08:02:19 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79A513A081F for <add@ietf.org>; Thu, 3 Sep 2020 08:02:19 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.43/8.16.0.42) with SMTP id 083ExfSG013889; Thu, 3 Sep 2020 08:02:15 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=1ZFNG+bvEK6mh520tIBitm7tCPI9LHCG1dRpCBdUcVo=; b=ck8kd4JFRAk1gNzvbiKPomPFj/5NXf78qaVokYz5QfQ61u9e5oTntQQvEJLzTsm3Wyzb pH9q9cr/VCW0QCLj2e5csgmvK5qIvyxiX07KQXqFs50ghOZhPMfHQUpZTbGR8YOPddLj M0HP7yuTYnMvyI6NkLBG8cnmU8MaovI7Whs0l/gpJmoIGrgzrG6v0Kx+fZkKodiE7NpQ iDOChk/IRNh07iMpG0iYOaJ/xSP0CfgU9C0751jQRbXSSTfjaEM831oTP4lKyWTD7KeQ VW4xWdUwhwD6uU7TH08yphSnMmXV1UGOV7NJwqlBgRtpWHio2HD1z1eC+KuyHs6PZH6m kg==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by nwk-aaemail-lapp01.apple.com with ESMTP id 337ny0nfrx-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 03 Sep 2020 08:02:15 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QG300UEN8FRGLF0@rn-mailsvcp-mta-lapp01.rno.apple.com>; Thu, 03 Sep 2020 08:02:15 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QG300A0087MF300@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 03 Sep 2020 08:02:15 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 6a851ae06bdcf8d0a2f580511df70408
X-Va-E-CD: bf0bc031a54bd74fd7d0e41cfdc9deed
X-Va-R-CD: 5694b27f60861c15238d2f7b28530b57
X-Va-CD: 0
X-Va-ID: 9849c67a-8c98-4723-8581-c766522b4f58
X-V-A:
X-V-T-CD: 6a851ae06bdcf8d0a2f580511df70408
X-V-E-CD: bf0bc031a54bd74fd7d0e41cfdc9deed
X-V-R-CD: 5694b27f60861c15238d2f7b28530b57
X-V-CD: 0
X-V-ID: 123b3e42-6803-4c0b-b7b1-a72d8c5aef84
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-03_07:2020-09-03, 2020-09-03 signatures=0
Received: from localhost.localdomain (unknown [17.235.45.106]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QG30050F8FOVR10@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 03 Sep 2020 08:02:14 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <6EAEEBAA-1EC5-4A3B-B1BD-D4BE90830F91@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_02F676A7-29A8-4F07-A230-4244EABE354A"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.0.3.2.26\))
Date: Thu, 03 Sep 2020 08:02:11 -0700
In-reply-to: <CAFpG3gcP=9D=7_yS3Nb6a+jHLCTmS5r6a56sCMR98bnzdgoYSg@mail.gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, ADD Mailing list <add@ietf.org>, Christopher Wood <caw@heapingbits.net>
To: tirumal reddy <kondtir@gmail.com>
References: <31194C90-6C0B-470C-8B14-79C12D2C5C0D@comcast.com> <CACJ6M14gXmEHc_fX8=GpKwRDn6C=R7LR06JG_Qg-cWR5agU9Hw@mail.gmail.com> <391E15D2-9208-4BA9-B01E-3673982DA6CE@apple.com> <CABcZeBMXvcF6PJWE+EkGVx1c9RXzO1XuB3xhrVKUJvUb=aus8A@mail.gmail.com> <4cd8a8c6-3516-4ad6-877c-9460d8096773@www.fastmail.com> <CAFpG3gfkrKGiuPRH1QvH+-w2H=N1ijtDpk5Oh=D2JOp-L4Q1+w@mail.gmail.com> <CABcZeBNhHcNAkVm=PNUvV8_vGVvDvJbaMVHB_w9zu63+ebQwpQ@mail.gmail.com> <CAFpG3gcAjHkh7boDwLq+sHpGtfB2WT0NbuuFqqBQs2M6BZkAOQ@mail.gmail.com> <CABcZeBMi-B7LKB6ipt6vLSZcF9OMLga8f+qydpZVOhOGQrttuQ@mail.gmail.com> <CAFpG3geQefT0=fN-6UFwDqLLqbb1XthHA=np4HPS2NfSO77csA@mail.gmail.com> <CABcZeBPmfe8Um38xFHoxw+26-YQxFUPN+p4aW9uzbPKGy1xz4g@mail.gmail.com> <CAFpG3gefyTcibzfQ-dzXKv5fKE=vwUktux0dz25wNL7_+tf7MA@mail.gmail.com> <CABcZeBMVcH74RYXZrLRNtHLi-xZgGxRHA2CsH6nbiz+5uGM32g@mail.gmail.com> <CAFpG3gcJeXyuJ4n8N6wyDvVJGkO1toVC4hUXjL6ACWg+sent+w@mail.gmail.com> <CABcZeBNS7EEw+zX-rgOJpiBbqw6jn80uXSR60Mj-oCRwEnTAjQ@mail.gmail.com> <CAFpG3gcP=9D=7_yS3Nb6a+jHLCTmS5r6a56sCMR98bnzdgoYSg@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.0.3.2.26)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-03_07:2020-09-03, 2020-09-03 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/jGdpAGlrbvyylY8-W7zQEyoQFjE>
Subject: Re: [Add] ADD Requirements Draft
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 15:02:21 -0000


> On Sep 3, 2020, at 2:23 AM, tirumal reddy <kondtir@gmail.com> wrote:
> 
> Hi Eric,
> 
> I think you have misunderstood the purpose of the draft. I would like to clarify the intent:
> 
> 1) It prevents the client from connecting to an Encrypted DNS resolver hosted by an attacker. It is useful when the Encrypted
> DNS server is insecurely discovered (e.g., using DHCP/RA, SUDN) and the discovered encrypted 
> server is not pre-configured in the OS/Browser. It resembles the Background-Check Model discussed in Sections 5.2 and 5.3 of Remote attestation procedure (RATS) Architecture https://tools.ietf.org/html/draft-ietf-rats-architecture-05 <https://tools.ietf.org/html/draft-ietf-rats-architecture-05>.
> 
> 2)It does not require Encrypted DNS servers to use EV certificates. However, the verifier creating the attestation results 
> may or may not use EV certificates depending on whether the Encrypted DNS server will be discovered securely
> or insecurely. For example, the verifier need not use EV certificate in the following scenarios:
> 
> a. If the Encrypted DNS server will only be discovered securely (e.g., using IKEv2), the verifier need not  
>     use an OV/EV certificate.
> 
> b. Another scenario is bootstrapping a networking device to use the encrypted DNS server in the local network. Secure Zero Touch Provisioning (RFC8572) defines a bootstrapping strategy for enabling devices to securely obtain the required configuration information with no user input. If the encrypted DNS server is insecurely discovered and not pre-configured in the networking device, the client can validate the Policy Assertion Token signature using the owner certificate as per Section 3.2 of RFC8572. In this case, the owner certificate 
> need not be an OV/EV certificate.
> 
> 3. The draft also signals resolver information like whether the resolver performs filtering, reasons for filtering and
> URL to privacy/audit statement. It does not signal any machine-parsable privacy policy and it does not intend to replace
> the privacy statement provided by a legal attorney.  It is helpful in scenarios where the discovered resolver is not
> pre-configured in the OS/Browser. It aligns with the charter of ADD to "define a mechanism that allows communication of DNS resolver
> information to clients for use in selection decisions. This could be part of the mechanism used for discovery, above."

This charter point refers, I believe, to information like applicable or private domains, provider identity, etc. I think that filtering policy and auditing statements are not in scope: "Making any recommendations about specific policies for clients or servers is out of scope.”

Thanks,
Tommy
> 
> Hopefully it clarifies for further reviews.
> 
> Cheers,
> -Tiru
> 
> On Thu, 3 Sep 2020 at 06:54, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> Tirumal, 
> 
> I think this conversation has gone beyond the point where it is productive.
> 
> I do not believe that users are going to be able to meaningfully consume either real world identity information ("This is run by company X") or privacy policy information about resolvers. We've tried that in several other domains and it hasn't worked, and I don't think going through why in a lot of detail is going to illuminate the situation here. But more to the point, I think you're hearing that client vendors aren't interested, so standardizing this would not help. If you want to continue to propose this, I suggest that you find some set of clients which would consume it, at which point a discussion of the merits of this idea will be more useful.
> 
> -Ekr
> 
> 
> 
> On Wed, Sep 2, 2020 at 5:32 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> Please see inline
> 
> On Tue, 1 Sep 2020 at 22:16, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> On Tue, Sep 1, 2020 at 4:10 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> Hi Eric,
> 
> Please see inline
> 
> On Fri, 28 Aug 2020 at 19:08, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> On Fri, Aug 28, 2020 at 12:35 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> On Thu, 27 Aug 2020 at 18:46, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> On Wed, Aug 26, 2020 at 10:15 PM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> Hi Eric,
> 
> Please see inline
> 
> On Wed, 26 Aug 2020 at 16:50, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> As I said when you first proposed this in an ADD meeting, I do not believe that anything of this kind is viable.  
> 
> 1. Certificates tied to a legal entity have not been effective, which is why browsers are removing EV.
> 
> The draft does not propose using EV certificates for encrypted DNS servers, please see https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-05#section-4 <https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-05#section-4> for more details. 
> 
> It proposes something similar, which I expect to have the same drawbacks.
> 
> Can you please explain the drawbacks for further discussion ?
>  
> 
> 
> 2. There is ample evidence that users do not read privacy policies.
> 
> The DNS server privacy statement is much more simpler compared to a typical privacy statement by a 
> content service provider (see https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-14#section-6 <https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-14#section-6>). 
> 
> I don't think that makes it significantly more likely that people will read it. 
> 
> It varies from person to person. People may not read the privacy statements because they visit several domains in a day. The DNS operators a user will use will be very few, for example an user may want to use a discovered resolver in selected networks like Enterprise or Home network. Further, encrypted DNS resolver publishing the privacy statement URL is a best practise similar to the way OS mandating apps to publish privacy policy.
>  
> 
> 
> Further, automated analysis of a privacy statement is possible using deep learning (https://pribot.org/files/Polisis_USENIX_Security_Paper.pdf <https://pribot.org/files/Polisis_USENIX_Security_Paper.pdf>). You can explore polisis and pritbot at https://pribot.org <https://pribot.org/> to explore the analysis of privacy statements by several organizations.. 
> 
> I took a quick look at this tool and while it appears to be interesting work, it does not produce output which I think is likely for users to actually assimilate. For instance here is what it does with McAfee's policy:
> https://pribot.org/polisis/?company_url=mcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=first-party-collection-use <https://pribot.org/polisis/?company_url=mcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=first-party-collection-use>
> 
> The summary page is quite easy for end users to review the positives/negatives to watch out for and it also highlights the relevant text in a large privacy document (see https://pribot.org/polisis/?company_url=http%3A%2F%2Fmcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=assessment <https://pribot.org/polisis/?company_url=http%3A%2F%2Fmcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=assessment>). The DNS server privacy statement is much more simpler compared to a typical privacy statement for deep learning to identify if the server is privacy-friendly. 
>  
> 
> We've already run this experiment of machine readable privacy policies once with P3P and I don't see a reason to think this will be any different
> 
> No, the draft does not discuss any machine readable privacy policies other than conveying the privacy statement URL. 
>  
> 
> Taking a step back here: is there any client with significant usage that would be interested in consuming this kind of policy when published by a resolver? If so, I'd like to hear from them about their needs. If not, it doesn't seem worth discussing further.
> 
> The draft only discusses conveying resolver information and does not discuss any machine parsable privacy policy.
> 
> -Tiru
>  
> 
> -Ekr
> 
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email