IETF Logo Mail Archive

Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>

Ben Schwartz <bemasc@google.com> Wed, 13 May 2020 03:12 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E593A0484 for <dns-privacy@ietfa.amsl.com>; Tue, 12 May 2020 20:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM3Axi0mFTgf for <dns-privacy@ietfa.amsl.com>; Tue, 12 May 2020 20:12:50 -0700 (PDT)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345913A07B6 for <dns-privacy@ietf.org>; Tue, 12 May 2020 20:12:50 -0700 (PDT)
Received: by mail-wm1-x329.google.com with SMTP id m24so15186281wml.2 for <dns-privacy@ietf.org>; Tue, 12 May 2020 20:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UguYVbQB0uoJzioykXb2h0EE0LA+as/6SFIOwc+sv3Y=; b=LSXZI5aRb5+mHeeXI4QsqCjrT5c9xz4O0LKvV2MBcgd+JSrq39IYzBvaswMbVliMvS WDiLO4XpSYJD1LvB12KRe9EeYd/C3FujczLzBNpJFi5RYHo5yTKJJjmiELyAsLpROBT/ M9FPhGvsc/gkdDFjrBLsDjnplYlswUT9y3oztgM7W2CSQ4rfH/YcLJ+BYaGl1OZ0J1lP JX1/pW7RqMxh6EiHL6kWVLV2SFC1rxogOUo20fOFabZnmaelOMalJKYdixTUILoynNpi DQO7CAgsR9V1pecRs0xWCz+z2J0xbTxogMhTpm+nqfpeLQjdS9LZeQvSkEbv+9T+5y/8 sFmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UguYVbQB0uoJzioykXb2h0EE0LA+as/6SFIOwc+sv3Y=; b=EucmSRERYry5kiTTuF8vghMfSzTrMCVXOdi8E0tIj2dknLB3FvAFAzHtmUQhI2Bb3P 8fJm7/YxiLwTnoS6V5YHd18NxTvL5oCpkvwaGPuSrNM7gy5fOvzOOw8eXKo2lF7qBYU+ lyoOt5sHfSLlzpBeieFhJCcx2NtyVzNQJURY4NZnvS0V3y4cL9W6RpRSe5qdrPLrvJcN 9jom5CY1PMBEo0lRywpmR4/qM6j/ON0vYBYkJy88mKFpw5dlxVIz94l5SxfHYf+98WoN HI/ySZGkeZm1UndxrJE5CF+MTV/+ADyZNTc+WV18wNrRMvfmIErAnGNedWrXcWqtu7yh s6Ug==
X-Gm-Message-State: AGi0PubccgNK33QWf138bVQH6mjOfe67A2azQpi1FZ7/WAUkPEt1cApJ lungCPeEa7r6bpohwGtcsOMuFwIb+M0hVPWeUpvqSg==
X-Google-Smtp-Source: APiQypK+ZErbTsaSvmLGGBhVJWKifP6r2GK8s4lLZf6YHIaXslGm7YpLsck4CtALXI55nrAb0RYs6mCNm+ZEFhPE9BY=
X-Received: by 2002:a05:600c:230f:: with SMTP id 15mr37587099wmo.101.1589339568061; Tue, 12 May 2020 20:12:48 -0700 (PDT)
MIME-Version: 1.0
References: <157955609351.1744.15099511006231348523.idtracker@ietfa.amsl.com> <F6C06842-9D76-45DF-84A0-B0C4D724E66E@sinodun.com> <CABcZeBPVocy593=WJM2k3Ytrwg36qc_1d4VQH3otRM5qyvZwLA@mail.gmail.com> <1388052392.1781.1586274052101@appsuite-gw1.open-xchange.com> <CABcZeBNi2LKvGFcmTM0uC+rFEVm5tgw6Zo1LS_CoO5=Zo0zqSA@mail.gmail.com> <C03AC6C2-9DCB-448A-B906-3062BD616E31@sinodun.com> <CAMOjQcGrWXFpStp=iVbo1jVN3qnen8rC71SyXv6evY2-MgUdxg@mail.gmail.com> <3345FB83-A19A-4542-8A8E-C535884B157F@sinodun.com> <CABcZeBPP6J=a=hW6BLcMnKawupa3RjjpYAzgZ317=ryLy39n+A@mail.gmail.com> <8CEFE3CB-A88C-4BBC-95B8-9850142DB5EE@sinodun.com> <CABcZeBPF41eq-HYXdYScx7bqYyUO7-oH6zWKqj7Ka23u8x_E4A@mail.gmail.com> <ACA9854E-00B7-4776-A850-E5069C672121@cisco.com> <CABcZeBOxN7iNTLFUw7JDc4ZGH_u4awys3g52de29CuOyQv2JUQ@mail.gmail.com> <C8B168D0-F719-405F-892F-14573A7C568D@sinodun.com> <CABcZeBPGAgqSPKWXKaL6kK5CYzgK+RmwFrMwhc6ED7aGnV_ayA@mail.gmail.com> <8AB227E2-F968-47C4-9EB6-40A988263892@sinodun.com> <4fc44293-cdd9-24b7-cf26-1451a3652f73@huitema.net> <541315765.30668.1589285684382@appsuite-gw2.open-xchange.com>
In-Reply-To: <541315765.30668.1589285684382@appsuite-gw2.open-xchange.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 12 May 2020 23:12:35 -0400
Message-ID: <CAHbrMsBrB-BGog8kjE0WRBpNVZ16z-nBSpKXXzUYrfwm1bY68A@mail.gmail.com>
To: Vittorio Bertola <vittorio.bertola=40open-xchange.com@dmarc.ietf.org>
Cc: Christian Huitema <huitema@huitema.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "draft-ietf-dprive-rfc7626-bis@ietf.org" <draft-ietf-dprive-rfc7626-bis@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000006bf77a05a57ef419"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/W38Cek9oMeEHNrNzqF91wn8IUnk>
Subject: Re: [dns-privacy] Datatracker State Update Notice: <draft-ietf-dprive-rfc7626-bis-04.txt>
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 03:12:53 -0000

On Tue, May 12, 2020 at 8:15 AM Vittorio Bertola <vittorio.bertola=
40open-xchange.com@dmarc.ietf.org> wrote:

>
> Il 11/05/2020 21:35 Christian Huitema <huitema@huitema.net> ha scritto:
>
> I found the discussion of application embedded resolvers bizarre. It
> speaks of applications in general, but the way the text is set-up appears
> to be a specific dig against Mozilla. Look at the text: "popular
> applications directing DNS traffic by default to specific dominant
> resolvers". It boils down to accusing some unnamed application of
> deliberately contributing to centralization. I find that problematic, and
> also very imprecise. I think this should be rewritten in a much more
> neutral way.
>
> I think this section has already been rewritten at least half a dozen
> times, and every time there was a claim that it is not neutral (sometimes
> even on text that previously seemed to be ok). Every time the authors put
> the effort to rewrite it once again according to the comment, and every
> time a new comment comes in saying that this is not enough. I admire their
> patience.
>
> In any case, I don't know Mozilla's view on whether this is a specific dig
> against them, but it is meant as a discussion on privacy impacts of a
> specific deployment model, not of a specific company's policy. These
> privacy impacts, even if with very variable views, have been the subject of
> many conferences, articles and talks in the last couple of years - they
> were not discovered in this document, and it would be weird if they were
> omitted from a discussion on DNS privacy released in 2020. The fact that
> Mozilla is at this time the only company adopting that model is just
> coincidental, apart from perhaps reflecting the fact that others think that
> that model is not a particularly good idea.
>
> In a modern environment, the concept of host is very fuzzy. We get all
> kinds of special devices. We also get containers or virtual machines
> running inside hosts. A browser is in practice such a container. There is
> not a difference of nature between a separate subsystem like a browser
> environment and a separate device. If a browser embeds its own stub
> resolver, users can configure the resolver of their choice in much the same
> way that they can configure the resolver of their choice using a device
> configuration UI. There are differences in management, but these
> differences fall largely outside the scope of the DNS privacy draft.
>
> In both cases, users are very likely to configure a well-known service.
> There is not much the difference between setting the device's preferred
> resolver to 8.8.8.8 and setting the browser's choice to "Google DNS"? In
> both cases, the centralization effect results from the popularity of the
> service, unless you are specifically accusing Mozilla of conspiring to
> centralize the DNS. And a privacy RFC is not the right place to do that.
>
> You seem to miss the point, which is not about users setting their
> preferred resolver at the application level, but about applications that by
> default ignore the resolver settings in the device and pick their own
> preferred resolver independently from the user.
>
> In a market in which there are few choices, indeed this behaviour promotes
> centralization: we know that most users do not change the defaults, and if
> most users of a popular application start using a single resolver in place
> of a broad set of local resolvers scattered around the Internet, of course
> the resulting traffic pattern is more centralized.
>
> We also know that centralization of the DNS is potentially a privacy
> threat, as it makes it easier to track and correlate multiple activities by
> the same individual. This does not seem contentious - it was actually the
> first example in last year's IAB "DEDR" workshop charter.
>

That seems quite contentious to me.  Decentralization of the DNS is _also_
a privacy threat: running your own recursive leaks your IP to every
authoritative (far worse than ECS!), pinning yourself to a unique recursive
makes you uniquely identifiable as you move across the network, and using a
recursive whose identity is unknown is obviously a privacy concern.

There are many possible resolution configurations, and none of them offer
perfect privacy.  The exact tradeoffs between them are very much in flux as
the relevant standards and practices evolve.  If the draft tries to cover
this topic it should present all of the risks in these different
configurations, but I think it would probably be wiser to avoid claims
about the privacy properties of deployment architectures.

Moreover, this potential downside for privacy can be entirely countered by
> increased privacy protections offered by the new operator, and this is
> clearly stated in the final paragraph.
>
> The central paragraphs were initially meant to say that, to preserve the
> user's privacy, the user should always be given controls to set the
> resolver. This is in line with the basic principle of most
> privacy-protecting policy frameworks, i.e. user consent.
>
> However, the current text just says that "if" we wanted to give users the
> same degree of control they currently have in basically any
> consumer-oriented operating system, then applications should provide users
> with controls (any control goes, even if hidden under a 3-click-deep
> configuration hierarchy, as you have to do today if you really want to
> reject advertising cookies on the average commercial website). Then, the
> text adds that if applications don't do it, users might not... be able to
> control their resolver.
>
> There is not even any more a stance that says that users should be able to
> choose where their DNS queries go, or that the lack of such choice is in
> itself a privacy problem. From the perspective of a privacy advocate, this
> section is now quite watered down.
>
> I am also puzzled by the fact that this draft was actually in last call
> six months ago, and it only received a single objection just before the
> deadline, and since then we have entered an endless cycle changing it again
> and again and again. I did my best to help with compromise text as
> requested but I do not understand where this process is going.
>
> --
>
> Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
> vittorio.bertola@open-xchange.com
> Office @ Via Treviso 12, 10144 Torino, Italy
>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email