Re: [Captive-portals] Fixing RFC 7710
Martin Thomson <martin.thomson@gmail.com> Sun, 04 March 2018 22:55 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: captive-portals@ietfa.amsl.com
Delivered-To: captive-portals@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3211273B1 for <captive-portals@ietfa.amsl.com>; Sun, 4 Mar 2018 14:55:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zoimgTk-h_59 for <captive-portals@ietfa.amsl.com>; Sun, 4 Mar 2018 14:55:24 -0800 (PST)
Received: from mail-ot0-x230.google.com (mail-ot0-x230.google.com [IPv6:2607:f8b0:4003:c0f::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6F1127010 for <captive-portals@ietf.org>; Sun, 4 Mar 2018 14:55:24 -0800 (PST)
Received: by mail-ot0-x230.google.com with SMTP id y11so13371511otg.0 for <captive-portals@ietf.org>; Sun, 04 Mar 2018 14:55:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YAwaSnQIhljmkIL9wT60CPfvjwd1+kDdp0mAvsr5Sas=; b=iPFbON6pCdsXu40CiTI7RV9iC26sux2QZm/iCKXcw+DzBGWKHLcnI+og9ySIdgQ3C5 Pp92mHYWL/UXraayLC80qupoe5JUVL87MKJfCSYOEFR1xOZBfiUez/z/YPU4yn5BFdYK CnE8ZZVx86fvWXQaU36o8XlNb5j2dwkUhGGnc6WrXAQCqBSerSWGenYFSs/ri8apb3m5 9mNv8pzQ8xdxVqePMaUyty4xbixqC4FsyguCQoaFyFpEL1H2T8Tp5WO1putIBYnptnw0 jxEnUc6boEuNDAYtlmQ1qRsIVUzCbbb0PDZUutFEKICdcqt0DpPkr5oMstPsWdmQoIoy yfqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YAwaSnQIhljmkIL9wT60CPfvjwd1+kDdp0mAvsr5Sas=; b=KG9EIQ5JJ4jLg7fH52Wrgmv4CvNXCpfo3AoPFF23uyXHp6WMTqeyoUv9tM1eeomwud CZdC4dqXEs8irLldQL8ikkycQ9GKD+dSr8kNPVxpi1QD/skaV/SrlpPHw7Mx8f/jrHeE stMvgwhAHK+ypaLD51lDez1lUnnzs+iPPUe6tmPyM5dyRGCKLX9h8GzVZKayeUvgoc+p EvjkuGG+SqQETbxgD21Z8VL7qs/db8DL3EXxtDsJfcIAEunlayYSbRbYfAQKBCsQjgP9 fNJzpHoPc+aokb87ILHO2JybCgLl6qjARktyAO2w79W80KuriKul5HZdq8slqZaM0GED o29w==
X-Gm-Message-State: APf1xPB6AMtL0noKBecNSMTfauYCcJ0LiV0TeVHB9z6BvlElltfgutfu 1kRXV04Du9AikKq1sIwYVEZjlgMw7C4hg+unOT4=
X-Google-Smtp-Source: AG47ELuxYJ8JTQwDtmBNGXX7NKlBX5sr0wRBcrzljQoDo3UrcTGrWnz3C8OejvDByorTjjVg6cOP3uoGOKt3ZOPFIww=
X-Received: by 10.157.64.181 with SMTP id n50mr9453278ote.241.1520204123666; Sun, 04 Mar 2018 14:55:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.16.85 with HTTP; Sun, 4 Mar 2018 14:55:23 -0800 (PST)
In-Reply-To: <CAHw9_iKmj_CYNwm+i6ETKF3FSVwEp-NGVfiMfPiBE3QCUbKzkQ@mail.gmail.com>
References: <CABkgnnWJMipRtG-p0EoUXmK3u1c2ab-v4xN3WZfm3XL8s08aZA@mail.gmail.com> <CAHw9_iKmj_CYNwm+i6ETKF3FSVwEp-NGVfiMfPiBE3QCUbKzkQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 05 Mar 2018 09:55:23 +1100
Message-ID: <CABkgnnUTUrDCJgaiYOjwbhgz6r0s+oP598TL-obyGjMCULfJyQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: captive-portals@ietf.org, Olafur Gudmundssen <olafur@cloudflare.com>, Paul Ebersman <ebersman-ietf@dragon.net>, Steve Sheng <steve.sheng@icann.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/captive-portals/1YxwWCeSI70NQve7BsTvEL01bas>
Subject: Re: [Captive-portals] Fixing RFC 7710
X-BeenThere: captive-portals@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of issues related to captive portals <captive-portals.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/captive-portals/>
List-Post: <mailto:captive-portals@ietf.org>
List-Help: <mailto:captive-portals-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/captive-portals>, <mailto:captive-portals-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2018 22:55:32 -0000
On Sat, Mar 3, 2018 at 9:52 AM, Warren Kumari <warren@kumari.net> wrote: > Yeah, there was a significant amount of discussion on this at the time > of the original document -- I can probably dredge it up if needed, but > IIRC, it focused around the fact that 1: many clients behind a CP > would not have enough working connectivity to be able to do the DNS > stuff required to be able to validate the cert, and 2: a lack of > clarity on what exactly would be authenticated. We have good tools for that now. In practice, the only relevant network connectivity needed to validate the cert is the revocation information. The current idea is that mandating OCSP stapling is enough. Of the other things that are included, AIA is the only one that I know is used in practice, but that can be forbidden here. The only reason to do AIA is to avoid including intermediate certificates in the handshake, and this is a clear case where doing that is not helpful. Practically speaking, not all clients do AIA, so it's not an interoperable choice anyway. > 2: How does the client know that your-preferred-internet-provider.com > is the identity which *should* be providing Internets? Having the > client accept that /might/ give the impression that there is some > *reason* to believe this, and was viewed as a usability concern -- > training users / developers to make a leap of trust that "you should > trust this identity is the right one" was viewed as a dangerous > pattern. > > Somehow this turned into "Just ship http://192.168.1.1/foo and then > that, um, someone else's problem" -- before everyone jumps down my > throat, I'm not arguing for or against the positions, rather trying to > provide some background on how we ended up here. :-P That's not substantially different to https://example.com/. You end up trusting that your DHCP/RA wasn't intercepted. Look at it this way: whatever you get from DHCP/RA is clearly from someone who controls the network. If the person who controls the network isn't the one paying for it, then that's a problem for the person paying for the network; it doesn't change what the device connecting to the network thinks. HTTPS is better in that the target of the URI might not be on the local network, and so at least you have confidentiality once packets leave the network. > I don't have the time to be the only / primary author, but I'd be more > than happy to help co-author (if that would be useful), contribute, > review, fold, spindle or mutilate -- whatever would be helpful. We might hold you to that :)
- [Captive-portals] Fixing RFC 7710 Martin Thomson
- Re: [Captive-portals] Fixing RFC 7710 Alexander Roscoe
- Re: [Captive-portals] Fixing RFC 7710 Michael Richardson
- Re: [Captive-portals] Fixing RFC 7710 Ólafur Guðmundsson
- Re: [Captive-portals] Fixing RFC 7710 Warren Kumari
- [Captive-portals] signaling no captive portal Michael Richardson
- Re: [Captive-portals] Fixing RFC 7710 Martin Thomson
- Re: [Captive-portals] Fixing RFC 7710 Martin Thomson
- Re: [Captive-portals] Fixing RFC 7710 Warren Kumari