IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: ADD Requirements Draft

Tommy Pauly <tpauly@apple.com> Tue, 01 September 2020 19:57 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 359943A100F for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 12:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahBEsLflMfdX for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 12:57:37 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46EE53A1010 for <add@ietf.org>; Tue, 1 Sep 2020 12:57:37 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 081JrwKe030242; Tue, 1 Sep 2020 12:57:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=a/pTrBmlDbohX2q85AmKik5nt+WvIre1V+ZtJ73+Hx0=; b=d+2NxFZvsuG3MPmomLyWAzQT/hjcpTHNbq/XixsWyTcb7L/5ARYBaRGK9HlSJVULjKeQ ydjJMDQgWWv7YSk5oOV9x9mh+1DgAz6OLEL/IBdpbiGkx+KQqhuF3JhoyFyS+BAUvzoP 1GjfkfB5SgqGnESKGeJXRJPdTZZLTzhPyc8BJJNTFZmCA2nzFeGt3WzPOi1ndVKO1gUz YjNOC5gks5lt4iQWpJBk0Di2efn3m+koUxfpSCxEitagbKAPxlK/44hcDaFyFC7jRUPJ A67oA8/VB9GeUl5gC5uwaPMwAEXQRpGzm34gUe1ofWAb3RJPLx3zQqYhHb66SJUBal3Z Vw==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 337p0urdj2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 01 Sep 2020 12:57:31 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QFZ00HJXWRV4AM0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Tue, 01 Sep 2020 12:57:31 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QFZ00H00WC5PO00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 01 Sep 2020 12:57:31 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 0a49a7bb37069e78ee0b033853dbbf75
X-Va-E-CD: 27ac7b244daca59c4d2ff3e004d92167
X-Va-R-CD: 0aa83da6a0c1cac88c0bfe033e678b16
X-Va-CD: 0
X-Va-ID: 8054c667-afc8-4695-a157-486f2d92308e
X-V-A:
X-V-T-CD: 0a49a7bb37069e78ee0b033853dbbf75
X-V-E-CD: 27ac7b244daca59c4d2ff3e004d92167
X-V-R-CD: 0aa83da6a0c1cac88c0bfe033e678b16
X-V-CD: 0
X-V-ID: ef1342f0-75e5-4a62-ab1f-83dfb7d4caff
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-01_10:2020-09-01, 2020-09-01 signatures=0
Received: from localhost.localdomain (unknown [17.234.20.180]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QFZ00U86WRTF600@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 01 Sep 2020 12:57:30 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <07B4108E-07BC-4755-96FB-31D43DCDC19C@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_9D3A7474-38BB-4146-8D2C-034DF54A4C7D"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.0.3.2.26\))
Date: Tue, 01 Sep 2020 12:57:28 -0700
In-reply-to: <DM6PR00MB0783D4A658BE3BA8EBD6533BFA2E1@DM6PR00MB0783.namprd00.prod.outlook.com>
Cc: Eric Rescorla <ekr@rtfm.com>, tirumal reddy <kondtir@gmail.com>, ADD Mailing list <add@ietf.org>, Christopher Wood <caw@heapingbits.net>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>
References: <31194C90-6C0B-470C-8B14-79C12D2C5C0D@comcast.com> <CACJ6M14gXmEHc_fX8=GpKwRDn6C=R7LR06JG_Qg-cWR5agU9Hw@mail.gmail.com> <391E15D2-9208-4BA9-B01E-3673982DA6CE@apple.com> <CABcZeBMXvcF6PJWE+EkGVx1c9RXzO1XuB3xhrVKUJvUb=aus8A@mail.gmail.com> <4cd8a8c6-3516-4ad6-877c-9460d8096773@www.fastmail.com> <CAFpG3gfkrKGiuPRH1QvH+-w2H=N1ijtDpk5Oh=D2JOp-L4Q1+w@mail.gmail.com> <CABcZeBNhHcNAkVm=PNUvV8_vGVvDvJbaMVHB_w9zu63+ebQwpQ@mail.gmail.com> <CAFpG3gcAjHkh7boDwLq+sHpGtfB2WT0NbuuFqqBQs2M6BZkAOQ@mail.gmail.com> <CABcZeBMi-B7LKB6ipt6vLSZcF9OMLga8f+qydpZVOhOGQrttuQ@mail.gmail.com> <CAFpG3geQefT0=fN-6UFwDqLLqbb1XthHA=np4HPS2NfSO77csA@mail.gmail.com> <CABcZeBPmfe8Um38xFHoxw+26-YQxFUPN+p4aW9uzbPKGy1xz4g@mail.gmail.com> <CAFpG3gefyTcibzfQ-dzXKv5fKE=vwUktux0dz25wNL7_+tf7MA@mail.gmail.com> <CABcZeBMVcH74RYXZrLRNtHLi-xZgGxRHA2CsH6nbiz+5uGM32g@mail.gmail.com> <DM6PR00MB0783D4A658BE3BA8EBD6533BFA2E1@DM6PR00MB0783.namprd00.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.0.3.2.26)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-09-01_10:2020-09-01, 2020-09-01 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/kKPCCxwZ11HAI6tOmIj7SmxVLVk>
Subject: Re: [Add] [EXTERNAL] Re: ADD Requirements Draft
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 19:57:39 -0000

Agreed. From my perspective as a client vendor, I don’t see a likely path to consuming this kind of policy. This is one of the reasons I’ve argued that we should have in our requirements a limitation that the entity that provides DNS should be one that the client already has a relationship with—we don’t need any new explanation of policy, we’re relying on existing relationships.

Thanks,
Tommy (Pauly)

> On Sep 1, 2020, at 10:11 AM, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote:
> 
> ekr> Taking a step back here: is there any client with significant usage that would be interested in consuming this kind of policy when published by a resolver?
> 
> Speaking for myself: no. The user either understands the implications and has pre-configured a resolver of their choice, or they don't and expect DNS to just work. Until DNS server choice is an everyday user concept akin to music streaming app choice (or at least wireless network choice), that will continue to be the case.
> 
> Thanks,
> Tommy
> 
> From: Add <add-bounces@ietf.org <mailto:add-bounces@ietf.org>> on behalf of Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>>
> Sent: Tuesday, September 1, 2020 9:46 AM
> To: tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>>
> Cc: ADD Mailing list <add@ietf.org <mailto:add@ietf.org>>; Christopher Wood <caw@heapingbits.net <mailto:caw@heapingbits.net>>
> Subject: [EXTERNAL] Re: [Add] ADD Requirements Draft
>  
> 
> 
> On Tue, Sep 1, 2020 at 4:10 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> Hi Eric,
> 
> Please see inline
> 
> On Fri, 28 Aug 2020 at 19:08, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> On Fri, Aug 28, 2020 at 12:35 AM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> On Thu, 27 Aug 2020 at 18:46, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> On Wed, Aug 26, 2020 at 10:15 PM tirumal reddy <kondtir@gmail.com <mailto:kondtir@gmail.com>> wrote:
> Hi Eric,
> 
> Please see inline
> 
> On Wed, 26 Aug 2020 at 16:50, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
> 
> As I said when you first proposed this in an ADD meeting, I do not believe that anything of this kind is viable.  
> 
> 1. Certificates tied to a legal entity have not been effective, which is why browsers are removing EV.
> 
> The draft does not propose using EV certificates for encrypted DNS servers, please see https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-05#section-4 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-add-server-policy-selection-05%23section-4&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215760305&sdata=zwTj9VSEumHDnBDlWRQySYQf2lljLOE7aG%2FcNJKWx%2Bk%3D&reserved=0> for more details. 
> 
> It proposes something similar, which I expect to have the same drawbacks.
> 
> 
> 2. There is ample evidence that users do not read privacy policies.
> 
> The DNS server privacy statement is much more simpler compared to a typical privacy statement by a 
> content service provider (see https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-14#section-6 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-dprive-bcp-op-14%23section-6&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215770297&sdata=Aon0Ne%2FXFeIqNAPGMS5g0t%2FpPaqrg9bs3OTDJzK3wn8%3D&reserved=0>). 
> 
> I don't think that makes it significantly more likely that people will read it.
> 
> 
> Further, automated analysis of a privacy statement is possible using deep learning (https://pribot.org/files/Polisis_USENIX_Security_Paper.pdf <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2Ffiles%2FPolisis_USENIX_Security_Paper.pdf&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215770297&sdata=btIZBlgmsG2b9zCE6pSjQt7q%2FteV6HVT8fakqd08sWQ%3D&reserved=0>). You can explore polisis and pritbot at https://pribot.org <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215780290&sdata=DluH1rTl9DL%2Blcmt0nb5jhy9H6i1QyJwGJhBkT3x%2FoM%3D&reserved=0> to explore the analysis of privacy statements by several organizations.. 
> 
> I took a quick look at this tool and while it appears to be interesting work, it does not produce output which I think is likely for users to actually assimilate. For instance here is what it does with McAfee's policy:
> https://pribot.org/polisis/?company_url=mcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=first-party-collection-use <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2Fpolisis%2F%3Fcompany_url%3Dmcafee.com%26_id%3D59d8f9c4e3dd0c4e24555c1d%26category%3Dfirst-party-collection-use&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215780290&sdata=gL%2BUOJ3dykOrd316WbZH5HpswalaWAKHscWQspcHM7w%3D&reserved=0>
> 
> We've already run this experiment of machine readable privacy policies once with P3P and I don't see a reason to think this will be any different
> 
> Taking a step back here: is there any client with significant usage that would be interested in consuming this kind of policy when published by a resolver? If so, I'd like to hear from them about their needs. If not, it doesn't seem worth discussing further.
> 
> -Ekr
> 
> -- 
> Add mailing list
> Add@ietf.org <mailto:Add@ietf.org>
> https://www.ietf.org/mailman/listinfo/add <https://www.ietf.org/mailman/listinfo/add>

v2.23.0 | Report a Bug | By Email