Re: [Add] [EXTERNAL] Re: ADD Requirements Draft
Eric Rescorla <ekr@rtfm.com> Tue, 01 September 2020 20:01 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77E7B3A1015 for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 13:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.796
X-Spam-Level:
X-Spam-Status: No, score=-1.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9ShpW-oSMKB for <add@ietfa.amsl.com>; Tue, 1 Sep 2020 13:01:14 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F32883A100D for <add@ietf.org>; Tue, 1 Sep 2020 13:01:13 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id t23so3080372ljc.3 for <add@ietf.org>; Tue, 01 Sep 2020 13:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NjQuV4vIrGwJtviFyqa3WtpEFQ3H8wfjfwbHxCKOTvU=; b=0aEAvIS2078i3JVR43GZ0Ba+Sd2CpDRN48LskwTXZvITzTkqc79lhd8rZ54eV+g9MG ycgZRbLKAkzrJRLV/5MlWVFWLjPziC+AvQwKYDhznOOFBXhsM1oGbQ7iKhg4Azhq6sMo 0eNbLYI1Jo5xTK7qcAd0TYefN8plI1iupploiDMLw+FGam/yak/IcXV9947+JJlPVWoH dTXh7Zme/EH/5DZj71Ot8gghgasdDyIM7utxt9Zkw6OK6Ruk6VQNSVfgTR6ANINdcqjl tJawn/fZQC/MNVfArLpmEKKreri3gAoG4TzEsSV4z2uymiagFOswALigj4GexOlXLMT0 tR1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NjQuV4vIrGwJtviFyqa3WtpEFQ3H8wfjfwbHxCKOTvU=; b=SyQOZ0LAU+LSkCdCR09Hnu2ac+BHbKa+DsAK26Q+uOugM5WciaeKKf+miNwiaUWTbN ODt5CgaciNIkZahZRJ3azi9CWrXl4GIA35F/nQ6CTCTD47F/35lGq6GVFFZaw3KiMKvg 5g7jfY8aTJ1wkQ44NRA5R8xf0/AYJ6TD5sptuVQvuKq1Oo6XAgQRWT5351aDL4OTUmyi duBdBG/bOwcRilHqJDVAJBcNFeJr9ndOpa+g2UrgFOmS0xAyJFrysJUm3/2d1RGfXeBj 4i0yUeMfE6+Ao2SRnClxFzuQNfRVa7MljVWdk2ER5dgyylAn0H+10XXhwcurZ3+tzVOK dJYg==
X-Gm-Message-State: AOAM532iBwPhL7vWIaE8aGQVLJDQD33daCOzt9nrhFG8yjToGa2GEvzM aqextgoPcHbp3r8TD6ILJatpUNbnNrpU+nz03U33ZQ==
X-Google-Smtp-Source: ABdhPJwq9M0BA6JNXNwA3V5zfsTRSCr4zT/mb0LoglJd8qcRCmLLi8TSQXnJA77lMV3oN2/laHwUgsP7poKdj9UGk/s=
X-Received: by 2002:a2e:7615:: with SMTP id r21mr1383251ljc.371.1598990471910; Tue, 01 Sep 2020 13:01:11 -0700 (PDT)
MIME-Version: 1.0
References: <31194C90-6C0B-470C-8B14-79C12D2C5C0D@comcast.com> <CACJ6M14gXmEHc_fX8=GpKwRDn6C=R7LR06JG_Qg-cWR5agU9Hw@mail.gmail.com> <391E15D2-9208-4BA9-B01E-3673982DA6CE@apple.com> <CABcZeBMXvcF6PJWE+EkGVx1c9RXzO1XuB3xhrVKUJvUb=aus8A@mail.gmail.com> <4cd8a8c6-3516-4ad6-877c-9460d8096773@www.fastmail.com> <CAFpG3gfkrKGiuPRH1QvH+-w2H=N1ijtDpk5Oh=D2JOp-L4Q1+w@mail.gmail.com> <CABcZeBNhHcNAkVm=PNUvV8_vGVvDvJbaMVHB_w9zu63+ebQwpQ@mail.gmail.com> <CAFpG3gcAjHkh7boDwLq+sHpGtfB2WT0NbuuFqqBQs2M6BZkAOQ@mail.gmail.com> <CABcZeBMi-B7LKB6ipt6vLSZcF9OMLga8f+qydpZVOhOGQrttuQ@mail.gmail.com> <CAFpG3geQefT0=fN-6UFwDqLLqbb1XthHA=np4HPS2NfSO77csA@mail.gmail.com> <CABcZeBPmfe8Um38xFHoxw+26-YQxFUPN+p4aW9uzbPKGy1xz4g@mail.gmail.com> <CAFpG3gefyTcibzfQ-dzXKv5fKE=vwUktux0dz25wNL7_+tf7MA@mail.gmail.com> <CABcZeBMVcH74RYXZrLRNtHLi-xZgGxRHA2CsH6nbiz+5uGM32g@mail.gmail.com> <DM6PR00MB0783D4A658BE3BA8EBD6533BFA2E1@DM6PR00MB0783.namprd00.prod.outlook.com> <07B4108E-07BC-4755-96FB-31D43DCDC19C@apple.com>
In-Reply-To: <07B4108E-07BC-4755-96FB-31D43DCDC19C@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 01 Sep 2020 13:00:34 -0700
Message-ID: <CABcZeBMubCdemBnV9m3RgmeV=oD2zvhE7hPFX85HL8zi1jLTgg@mail.gmail.com>
To: Tommy Pauly <tpauly@apple.com>
Cc: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, tirumal reddy <kondtir@gmail.com>, ADD Mailing list <add@ietf.org>, Christopher Wood <caw@heapingbits.net>
Content-Type: multipart/alternative; boundary="00000000000013f20705ae45fbf5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/wfknoIwS9NcWLsAMhfswaQDS2-I>
Subject: Re: [Add] [EXTERNAL] Re: ADD Requirements Draft
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2020 20:01:17 -0000
In case it wasn't clear, I don't believe that we (Firefox) would want this either. -Ekr On Tue, Sep 1, 2020 at 12:57 PM Tommy Pauly <tpauly@apple.com> wrote: > Agreed. From my perspective as a client vendor, I don’t see a likely path > to consuming this kind of policy. This is one of the reasons I’ve argued > that we should have in our requirements a limitation that the entity that > provides DNS should be one that the client already has a relationship > with—we don’t need any new explanation of policy, we’re relying on existing > relationships. > > Thanks, > Tommy (Pauly) > > On Sep 1, 2020, at 10:11 AM, Tommy Jensen < > Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote: > > ekr> Taking a step back here: is there any client with significant usage > that would be interested in consuming this kind of policy when published by > a resolver? > > Speaking for myself: no. The user either understands the implications and > has pre-configured a resolver of their choice, or they don't and expect DNS > to just work. Until DNS server choice is an everyday user concept akin to > music streaming app choice (or at least wireless network choice), that will > continue to be the case. > > Thanks, > Tommy > > ------------------------------ > *From:* Add <add-bounces@ietf.org> on behalf of Eric Rescorla < > ekr@rtfm.com> > *Sent:* Tuesday, September 1, 2020 9:46 AM > *To:* tirumal reddy <kondtir@gmail.com> > *Cc:* ADD Mailing list <add@ietf.org>; Christopher Wood < > caw@heapingbits.net> > *Subject:* [EXTERNAL] Re: [Add] ADD Requirements Draft > > > > On Tue, Sep 1, 2020 at 4:10 AM tirumal reddy <kondtir@gmail.com> wrote: > > Hi Eric, > > Please see inline > > On Fri, 28 Aug 2020 at 19:08, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Fri, Aug 28, 2020 at 12:35 AM tirumal reddy <kondtir@gmail.com> wrote: > > On Thu, 27 Aug 2020 at 18:46, Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Wed, Aug 26, 2020 at 10:15 PM tirumal reddy <kondtir@gmail.com> wrote: > > Hi Eric, > > Please see inline > > On Wed, 26 Aug 2020 at 16:50, Eric Rescorla <ekr@rtfm.com> wrote: > > > > As I said when you first proposed this in an ADD meeting, I do not believe > that anything of this kind is viable. > > > 1. Certificates tied to a legal entity have not been effective, which is > why browsers are removing EV. > > > The draft does not propose using EV certificates for encrypted DNS > servers, please see > https://tools.ietf.org/html/draft-reddy-add-server-policy-selection-05#section-4 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-reddy-add-server-policy-selection-05%23section-4&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215760305&sdata=zwTj9VSEumHDnBDlWRQySYQf2lljLOE7aG%2FcNJKWx%2Bk%3D&reserved=0> for > more details. > > > It proposes something similar, which I expect to have the same drawbacks. > > > 2. There is ample evidence that users do not read privacy policies. > > > The DNS server privacy statement is much more simpler compared to a > typical privacy statement by a > content service provider (see > https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-14#section-6 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-dprive-bcp-op-14%23section-6&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215770297&sdata=Aon0Ne%2FXFeIqNAPGMS5g0t%2FpPaqrg9bs3OTDJzK3wn8%3D&reserved=0> > ). > > > I don't think that makes it significantly more likely that people will > read it. > > > Further, automated analysis of a privacy statement is possible using deep > learning (https://pribot.org/files/Polisis_USENIX_Security_Paper.pdf > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2Ffiles%2FPolisis_USENIX_Security_Paper.pdf&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215770297&sdata=btIZBlgmsG2b9zCE6pSjQt7q%2FteV6HVT8fakqd08sWQ%3D&reserved=0>). > You can explore polisis and pritbot at https://pribot.org > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2F&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215780290&sdata=DluH1rTl9DL%2Blcmt0nb5jhy9H6i1QyJwGJhBkT3x%2FoM%3D&reserved=0> to > explore the analysis of privacy statements by several organizations.. > > > I took a quick look at this tool and while it appears to be interesting > work, it does not produce output which I think is likely for users to > actually assimilate. For instance here is what it does with McAfee's policy: > > https://pribot.org/polisis/?company_url=mcafee.com&_id=59d8f9c4e3dd0c4e24555c1d&category=first-party-collection-use > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpribot.org%2Fpolisis%2F%3Fcompany_url%3Dmcafee.com%26_id%3D59d8f9c4e3dd0c4e24555c1d%26category%3Dfirst-party-collection-use&data=02%7C01%7CJensen.Thomas%40microsoft.com%7C4f39107a43f8461cc8c808d84e96ac6c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637345757215780290&sdata=gL%2BUOJ3dykOrd316WbZH5HpswalaWAKHscWQspcHM7w%3D&reserved=0> > > We've already run this experiment of machine readable privacy policies > once with P3P and I don't see a reason to think this will be any different > > Taking a step back here: is there any client with significant usage that > would be interested in consuming this kind of policy when published by a > resolver? If so, I'd like to hear from them about their needs. If not, it > doesn't seem worth discussing further. > > -Ekr > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add > > >
- Re: [Add] ADD Requirements Draft Eric Rescorla
- [Add] ADD WG Github Deen, Glenn
- Re: [Add] ADD WG Github Chris Box (BT)
- [Add] ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Daniel Migault
- Re: [Add] ADD Requirements Draft Chris Box (BT)
- Re: [Add] ADD Requirements Draft Daniel Migault
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Chris Box (BT)
- Re: [Add] ADD Requirements Draft Christopher Wood
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Christopher Wood
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD WG Github Vittorio Bertola
- Re: [Add] ADD WG Github Chris Box (BT)
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Tommy Pauly
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Michael Richardson
- Re: [Add] ADD Requirements Draft Eric Rescorla
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Paul Vixie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Pauly
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Paul Vixie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Ted Hardie
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Rob Sayre
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- [Add] discovery of DNS server privacy policy Jim Reid
- Re: [Add] discovery of DNS server privacy policy Paul Wouters
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Tommy Jensen
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Dan Wing
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … Martin Thomson
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Michael Richardson
- Re: [Add] discovery of DNS server privacy policy tirumal reddy
- Re: [Add] [EXTERNAL] Re: discovery of DNS server … tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Andrew Campling
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Deen, Glenn
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Orth
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Ted Lemon
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Eric Orth
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Rob Sayre
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Vinny Parla (vparla)
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Michael Richardson
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Steffen Nurpmeso
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft Tommy Jensen
- Re: [Add] [EXTERNAL] Re: ADD Requirements Draft tirumal reddy