Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Vittorio Bertola <vittorio.bertola@open-xchange.com> Wed, 17 July 2019 21:35 UTC

Date: Wed, 17 Jul 2019 23:35:26 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
Reply-To: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: add@ietf.org
Message-ID: <845753479.11838.1563399326950@appsuite-gw1.open-xchange.com>
In-Reply-To: <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com>
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <CABcZeBNa97Vb6Fw-fMhoZnMezGtm3nJODENN4=XXsz7GWxf2Cg@mail.gmail.com> <CAChr6Sxm__NroZ92v4HL_6iCa62fwYgNw9r8ZDAxCdzVwNoDGw@mail.gmail.com> <20190716190219.5DEF4156CDF0@fafnir.remote.dragon.net> <CAChr6SzSkVU5xbh0sZCCEgd7BUdr-dMorNq=5iMkWp66k8PVow@mail.gmail.com> <15205609-8203-4C6F-9DE7-14D492873C51@rfc1035.com> <CAChr6Syf_=3__jcv6D7b1JokGFYpFuy9y9419V0nCAx=MMh24A@mail.gmail.com> <1513817825.9983.1563350802523@appsuite-gw1.open-xchange.com> <CA+9kkMAdGF_U-syxtFVz-MfBfv-GF_CFouvuUhqcSH96-=Hkjg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Importance: Medium
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/r-vaxea12dk1EKVoW-GI__Hdugk>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
Precedence: list

Il 17 luglio 2019 17:25 Ted Hardie <ted.ietf@gmail.com> ha scritto:

The IETF was not building these protocols to stop the use of the DNS as a policy enforcement mechanism and it is entirely possible to integrate them into a system which does this by offering the policy enforcing resolver over one of these confidential protocols.

I agree on the second part of your sentence, but I do not fully agree on the first one. In late 2017, several people - including one author of RFC 8484 and one member of the IAB - went on record saying that DoH was being developed exactly to stop the use of DNS as a policy enforcement mechanism. See for example the "DOH" section in this article:

https://blog.apnic.net/2017/12/12/internet-protocols-changing/" rel="nofollow">https://blog.apnic.net/2017/12/12/internet-protocols-changing/

Of course these were not statements made on behalf of "the IETF", nor they represent the objectives of everyone who took part in the work, yet the fact that the whole organization got DoH standardized so quickly is hard to interpret differently than a sign of support both for the technology and for its explicit purpose above.

Now, arguing over this is not very useful, but I wanted to show that the concerns over the IETF's past approach to this matter have some reasons, even if I concede that most issues derive from deployment choices and not from the standard in itself. But if the people making the deployment choices are the same people that wrote and approved the standard, drawing a line is almost impossible.

Rather than falling back to the state where the endpoint simple accepts that its traffic is visible to all and possibly intercepted, this new work is an effort to make it easier for you to gain the cooperation required. I hope you can see that this is in both the interest of policy enforcement bodies and the end users.

Yes, and this is why I was actually defending the spirit of the draft against claims that it would just facilitate downgrade attacks. I think this draft is a step forward, and in general Mozilla appear to be much more receptive to the concerns than they were months ago, and this goes to their merit. I see progress in this discussion and I am happy to continue it.

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

[Add] draft-grover-add-policy-detection-00 Rob Sayre
Re: [Add] draft-grover-add-policy-detection-00 Andy Grover
Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
Re: [Add] draft-grover-add-policy-detection-00 Eric Rescorla
Re: [Add] draft-grover-add-policy-detection-00 Rob Sayre
Re: [Add] draft-grover-add-policy-detection-00 Vittorio Bertola
Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
Re: [Add] draft-grover-add-policy-detection-00 Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Dixon, Hugh
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Tommy Jensen
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
[Add] Firefox DoH behaviour Jim Reid
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] Firefox DoH behaviour Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Richardson
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Deen, Glenn (NBCUniversal)
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Barry Greene
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Jim Reid
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Erik Kline
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Michael Sinatra
Re: [Add] [EXTERNAL] Re: Firefox DoH behaviour Erik Kline
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… tirumal reddy
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Neil Cook
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Eric Rescorla
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Evan Hunt
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Paul Ebersman
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ted Hardie
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Vittorio Bertola
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Brian Dickson
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Stephen Farrell
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Alec Muffett
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Rob Sayre
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Ralf Weber
Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-… Livingood, Jason