IETF Logo Mail Archive

Re: [Add] Browser Administrative Authority

Tommy Jensen <Jensen.Thomas@microsoft.com> Fri, 24 May 2019 19:37 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 179971200F5 for <add@ietfa.amsl.com>; Fri, 24 May 2019 12:37:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zglVw2Ajg2Te for <add@ietfa.amsl.com>; Fri, 24 May 2019 12:37:05 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710099.outbound.protection.outlook.com [40.107.71.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E8F12007C for <add@ietf.org>; Fri, 24 May 2019 12:37:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=HP6rx8ksrOng7Ybw3xfZEkW/L4+erSs2JHBKxZi1kwoYmhb7P/w3m9fzRukkxKg7PmTGPGSzHAv7w9JDNawx89IAwHGwfX78A9fsD2+dit+Ayzb5FWt/DlxDuVMBRS0a/Aic/96xmDSqzXO+nkSt+beu2VshKT2jr4YP39fGcI4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rISv9qDxSoK+YRUlEBtDc9c2Izcx754Q84XCZLXvXpM=; b=ou8HFBvO53mU6JM5HPNSsYlg01zfHqGspCGe5Dm60Pv0es4F9pXd1s/U3LPpJedXr6PDmSDRbXZOWFYRuFhT0+qQu+BntIio8HB2CAQ+BT/OF1yYPaF/pelXPy4Qjl8MGu3o35Px1BK9jVrDwAyoE5eLmD3s7jkIJgBuwRXAFxk=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rISv9qDxSoK+YRUlEBtDc9c2Izcx754Q84XCZLXvXpM=; b=GTqEWLydu2pYESC4djgNxE6Ak0pqVLIYDVed9yKvvGKuvXS+0S280mWK8V+KV/UwiiLl7SsK4X5By7RzEoRCjbT+G9150DkVqNX2W16eeUraudgwOxPWyRGxFVnmAu6VdXyhbJyASF1flopkoKikF/1Sz7ZpurxPJIq4x+aLx4A=
Received: from MN2PR21MB1213.namprd21.prod.outlook.com (2603:10b6:208:3a::13) by MN2PR21MB1213.namprd21.prod.outlook.com (2603:10b6:208:3a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.4; Fri, 24 May 2019 19:37:02 +0000
Received: from MN2PR21MB1213.namprd21.prod.outlook.com ([fe80::2583:ea78:45d9:cf2a]) by MN2PR21MB1213.namprd21.prod.outlook.com ([fe80::2583:ea78:45d9:cf2a%7]) with mapi id 15.20.1943.007; Fri, 24 May 2019 19:37:02 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Tom Ritter <tom@ritter.vg>
CC: "Cook, Neil" <neil.cook@open-xchange.com>, Adam Roach <adam@nostrum.com>, "add@ietf.org" <add@ietf.org>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Thread-Topic: [Add] Browser Administrative Authority
Thread-Index: AQHVEj/KCszQjrP3dE6V1AF0CU4zcaZ6bliAgAAQiwCAAAj8aIAAH/aAgAAAjUk=
Date: Fri, 24 May 2019 19:37:02 +0000
Message-ID: <MN2PR21MB1213F859645C1564C6F36B2CFA020@MN2PR21MB1213.namprd21.prod.outlook.com>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <07A89E54-2DFC-4B5A-9784-610BBE7D2BB2@nostrum.com> <125917581.1152.1558717017241@appsuite-gw4.open-xchange.com> <MN2PR21MB1213868D0BC3575C2589B670FA020@MN2PR21MB1213.namprd21.prod.outlook.com>, <CA+cU71mw77uS-BROWrFsGg9OSPEfAVk71UnzgL_5wWdM_znHnw@mail.gmail.com>
In-Reply-To: <CA+cU71mw77uS-BROWrFsGg9OSPEfAVk71UnzgL_5wWdM_znHnw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jensen.Thomas@microsoft.com;
x-originating-ip: [73.157.47.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b205c56f-8f69-4947-8b4c-08d6e07f3225
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:MN2PR21MB1213;
x-ms-traffictypediagnostic: MN2PR21MB1213:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR21MB1213EB9D5E84C8CEEC606580FA020@MN2PR21MB1213.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0047BC5ADE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(396003)(376002)(136003)(346002)(199004)(189003)(53754006)(86362001)(52536014)(25786009)(66574012)(8936002)(14454004)(478600001)(229853002)(5660300002)(561944003)(86612001)(102836004)(14444005)(3846002)(256004)(6116002)(6436002)(55016002)(6506007)(9686003)(53546011)(6246003)(53936002)(236005)(68736007)(966005)(72206003)(4326008)(7736002)(54896002)(6306002)(10290500003)(74316002)(316002)(8676002)(81156014)(71190400001)(7696005)(54906003)(486006)(8990500004)(71200400001)(76176011)(22452003)(33656002)(2906002)(606006)(81166006)(52396003)(91956017)(76116006)(66476007)(73956011)(66946007)(186003)(66066001)(26005)(99286004)(446003)(11346002)(6916009)(10090500001)(476003)(66446008)(66556008)(64756008)(105004)(19627405001); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR21MB1213; H:MN2PR21MB1213.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8ycAhf8DdDNPUQW7qeIhruLIKG+SwJ8G0eyvaqTvquup84yfBJ1IGJMY26zGixuNPAgoMk3vnHf/Ij2FJ0OvM78G2aeRWP9ED3kSSPObg/v5ftPGqigzXijVmR8qVG/LkPQgWZLHwdPvIahRO0PuF3KITu2DbQGwbK935oPaiD33VY9/mh6xY9de9gLiciGq2P43w6F+971F1oTs4Oi7fVQsmcwIekOwwWhTNX5eFWP+0TpFZoMrOuXKd344FDr4oxDh5w6E2sZYWOrrL/6VE5FevGsLkI6LQEC+XrSd1GdVu3vi0DGrId0qW5QJFF0grjqqOxfjdPHzhhBGAT1kssyzu1UZs2nuvIcyc/w5rgpb+M+A0ZkHns3i/LnyV65iVkDU/S0fSaL5PNlYFkV1owqbj/AYgPCC2hOxeEMkCh0=
Content-Type: multipart/alternative; boundary="_000_MN2PR21MB1213F859645C1564C6F36B2CFA020MN2PR21MB1213namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b205c56f-8f69-4947-8b4c-08d6e07f3225
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2019 19:37:02.5282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tojens@microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR21MB1213
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/7FgRRBcX97jIsisR-bIzrPUCqDQ>
Subject: Re: [Add] Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2019 19:37:09 -0000

Good point. I made a leap by connecting network admin with device admin for a simple reason: today, most platforms do trust their network via their default setting of using the DNS servers recommended by the network. Whether that's ideal is another topic.

To eliminate network trust as a variable in this discussion, let's have the story be the use of a DNS provider, say CleanBrowsing for example. In this scenario, the parent as the device admin has manually changed the device's DNS server settings to point to CleanBrowsing. However, the use of an app which rolls its own DNS stack by default will bypass this configuration. Device authority has been sidestepped in a way the user is not likely to understand.

I agree with your point that device administration is the appropriate answer. Apps should defer to (or proactively refer to if they want to suggest changes) device configuration rather than the device needing to be aware of the nuances of each app it could be running.

Thanks,
Tommy
________________________________
From: Tom Ritter <tom@ritter.vg>
Sent: Friday, May 24, 2019 12:23 PM
To: Tommy Jensen
Cc: Cook, Neil; Adam Roach; add@ietf.org; Deen, Glenn (NBCUniversal)
Subject: Re: [Add] Browser Administrative Authority

"imagine a parent who configures content controls through their ISP"

Okay; but then this isn't a device administrator. This is a network
administrator. (And whether it's enterprise or not isn't really
relevant, no feature is restricted to enterprise use.)

The network should be considered hostile until configured otherwise
because... the network usually is hostile. Or at least it's untrusted.
Every cellular connection; every coffee shop, every store's free wifi,
every friend's network you connect to, every AirBnB wireless, every
hotel... Percentage-wise, the number of untrusted networks the average
user connects to dwarfs the number of trusted networks (even if the
percentage of time spent on untrusted networks is dwarfed by the
percentage spent on trusted networks.)

Device administration is the appropriate answer here - it's the
appropriate trust boundary for users. An administrator of a device is
a person or organization the user of that device knows and understands
controls it. For the network to be able to override and disable users'
security and privacy controls is inappropriate - for example we don't
allow networks to strip TLS. UNLESS, of course, the device is
configured to allow such activity.

-tom

On Fri, 24 May 2019 at 17:53, Tommy Jensen
<Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote:
>
> Glenn, that was a great write-up. Thanks for sharing.
>
> To highlight Neil's point about this not being enterprise only: imagine a parent who configures content controls through their ISP. In a world where the browser defaults the user into using the browser's own DNS (DoH or otherwise) while bypassing system policies, children have a no effort needed sidestep to parental controls and it won't be immediately obvious to the parent why their controls don't work.
>
> I don't think asking the platform and other apps on the platform to all be aware of one another's policies is scalable. For the same reasons Glenn gave, I think apps should defer to the platform, redirecting users to make changes there rather than making changes within their own space.
>
> Thanks,
> Tommy
>
> ________________________________
> From: Add <add-bounces@ietf.org> on behalf of Cook, Neil <neil.cook=40open-xchange.com@dmarc.ietf.org>
> Sent: Friday, May 24, 2019 9:56 AM
> To: Adam Roach
> Cc: add@ietf.org; Deen, Glenn (NBCUniversal)
> Subject: Re: [Add] Browser Administrative Authority
>
> Glenn’s point is not just about enterprises. It applies to consumer use cases as well.
>
> Neil
>
> Sent from my iPhone
>
> On 24 May 2019, at 16:58, Adam Roach <adam@nostrum.com> wrote:
>
> This is called “enterprise policy”, and — as far as I know — all major browsers honor it.
>
> See, e.g., https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mozilla.org%2Fen-US%2Fproducts%2Ffirefox-enterprise%2Fpolicies-customization-enterprise%2Fpolicies-overview-enterprise&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7Cac269940328c4cf2713708d6e07d59f9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636943226330979994&amp;sdata=Qx5XXn2n77kMw9TscJ5Fxexlnju92%2BQtUad%2FqEXU500%3D&amp;reserved=0
>
> /a
>
> On May 24, 2019, at 09:48, Deen, Glenn (NBCUniversal) <Glenn.Deen@nbcuni.com> wrote:
>
> HI everyone,
>
>
>
> I’ve been thinking though some of the issues with the proposal DoH deployment in browsers.
>
>
>
> A big part of the tug of war here is  the authority precedence for advanced security and network settings that should be followed.
>
>
>
> Historically, it’s been at the device level – which meant the device administrator, which could choose delegate choices to a specific DNS resolver operator, or to the Network DHCP provided settings.
>
>
>
> Now the browser is seeking to adding itself into the authority chain for those settings. The trouble being that this is a major change to the administrative trust model.
>
>
>
> To date, browser settings have been limited to rendering options, some basic certificate options, addons, and scripting language choices.    Advance security and trust has remained with the device administrator.     Adding the browser to the administrative chain so that it can control advanced security and network settings introduces a problem because the browser does not have an administrative level authority that is as high as the device administrator.
>
>
>
> Current hierarchy (top has more authority)
>
>
>
>               Device Administrator       -- device authority for security, network, trust settings
>
>               Network Administrator     -- provides recommend network settings to devices
>
>               Resolver Administrator    -- can provide filtering
>
>               Browser  Maker               -- provides core trusted certificate list
>
>               Browser User                  -- can set rendering options, can make limited certificate choices, plugins.  – Impact is limited to the browser sandbox
>
>
>
>
>
> The problem is that some of the browser makers proposals are now changing this administrative authority hierarchy, but they haven’t done the extra work of establishing administrative trust and working through the consequences of that such as a child being able to change the browser DNS settings and bypass both resolver, Network, and even OS based restrictions.
>
>
>
> So they are changing it to:
>
>
>
>               Browser Maker                -- provides default DNS resolver and DNS Protocol choices.
>
>               Browser User                  -- can set DNS resolver and DNS protocol
>
>               Device Administrator       -- device authority for security, network, trust settings
>
>               Network Administrator     -- provides recommend network settings to devices
>
>               Resolver Administrator    -- can provide filtering
>
>
>
>
>
>
>
> The path to fixing this maybe to see if there is a way to express the administrative hierarchy that respects the intentions of the device administrator on what hierarchy they want to accept/delegate decisions to.
>
>
>
> It maybe that what’s needed is a means to communicate to the browser what authority the device administrator wants it to follow, since in the end the device owner should be in charge.
>
>
>
>
>
> -glenn
>
>
>
> --
> Add mailing list
> Add@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7Cac269940328c4cf2713708d6e07d59f9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636943226330979994&amp;sdata=wbq0RiqgNQODZ%2FY%2BCX6Ie1iYjbG4uw5iRHQ7glreOIk%3D&amp;reserved=0
>
> --
> Add mailing list
> Add@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7Cac269940328c4cf2713708d6e07d59f9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636943226330979994&amp;sdata=wbq0RiqgNQODZ%2FY%2BCX6Ie1iYjbG4uw5iRHQ7glreOIk%3D&amp;reserved=0
>
> --
> Add mailing list
> Add@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fadd&amp;data=02%7C01%7CJensen.Thomas%40microsoft.com%7Cac269940328c4cf2713708d6e07d59f9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636943226330979994&amp;sdata=wbq0RiqgNQODZ%2FY%2BCX6Ie1iYjbG4uw5iRHQ7glreOIk%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email