Re: [dns-privacy] [Last-Call] last call review of draft-ietf-dprive-rfc7626-bis-03
Rob Sayre <sayrer@gmail.com> Thu, 09 January 2020 20:13 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32EC11200E9; Thu, 9 Jan 2020 12:13:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T08UbZnVUwzv; Thu, 9 Jan 2020 12:13:13 -0800 (PST)
Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD9EE1202A0; Thu, 9 Jan 2020 12:13:12 -0800 (PST)
Received: by mail-io1-xd41.google.com with SMTP id z193so8576851iof.1; Thu, 09 Jan 2020 12:13:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+i3BRREDDN1z6FNtMYYysUQxBUCfazX5Vs3hRO4mxjs=; b=NSO8YNfGDytIt0h1xw+2iI2Ki1gTi1ERJx+SqbSTDMvfpP3tXzE87DDW0EhUbYcMSY yGytwP2JiUB5As8z/nsxH/e5Nz/EN0zSUKP7gcet1wcpS9ZYKrIvxys72gfnPAcOoSL0 gdRa/z2z0/47vAlvQdGfkzu7WZ6Fj6YPdhXsloDLF+maemYJ5o5RbnSAKLfkT2DgINxV RUpTbR5EAkHOiyA/mPiGDBThPdrTELv5aeTs/k4mYyXChRTAq2dfh/F5jOgrOx1uNk1T 6+4jAHykDEJ56ozQivEcMChOhvVRqmEkHwNbRpoaIjO2wbQS/h+7JKVG/O6DZ0Q2JyKV m0MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+i3BRREDDN1z6FNtMYYysUQxBUCfazX5Vs3hRO4mxjs=; b=oJvWAeTVTrq8oSGmAjWKLbDy3XUmLplK9UEdQ99KrnHRwAvx3TaSkAOjhHqUAVnc2o yHJ/rbF9pzmSXoFXyN2xM/Dw72iv4nu8YuesLOZ96IwDRlIEHk2YGpE3jRib0QyNMHAo iUvnORVRU6QukSBQ7Dvsu0hkA73OQ0tr3c0C5/6mt1yJ+ZU9EXICw51310JN/UNyv8zn GDu3oHRMpnXrFvemDGCItiI26bMgubVc7UafzU2McvuNIVE/TnHhewiham/l7Id3GQBz lCasue+zT9RuIGzb+VcLZBh2pbhT5RKx9iZWB1YGA3DKouAMmdH1uZ2XLxMjliYoYcAE gtxA==
X-Gm-Message-State: APjAAAV8s48WXbTkLCtAWYstnMK6Ynpt2iQtsItiXwTvOnby1cpvUhqK kHMIhJQn+1H1PIcKDnI3S7OIZqqFcPfMzYlU5Q8=
X-Google-Smtp-Source: APXvYqy4hf4kzz4BcbJkRQ04BRej2gnjf+lDaT1MpTghf2W56zMqx4nlQBs6gAGYV4+lYr1iqAyZbsTohpdOzZzuYlo=
X-Received: by 2002:a6b:ec08:: with SMTP id c8mr9235629ioh.257.1578600791983; Thu, 09 Jan 2020 12:13:11 -0800 (PST)
MIME-Version: 1.0
References: <157504194893.4871.5551746255324168227@ietfa.amsl.com> <208AD30F-1213-4784-81FC-4AB76730CEC2@sinodun.com> <a02720cf-01b3-d61a-94d2-b3d0a399f107@cs.tcd.ie> <20191223220509.GK35479@kduck.mit.edu> <CAChr6SyAhA8V7AQHC67vTEmHWgd+gMzM-ZtFTkBDUhsvVQEC8A@mail.gmail.com> <614B534F-D62D-432C-A3E5-A01D9BF972AA@sinodun.com> <CAChr6SzbtzYPa8D6yFv+f74==6JFQtM+BVyPKR8NAiBG0p-icQ@mail.gmail.com> <187F7041-9537-4767-A824-DA8103356570@sinodun.com> <CABcZeBNscStJzpqZfmjstLFYtuvfKc2TMicK6xbag=DbztafCQ@mail.gmail.com>
In-Reply-To: <CABcZeBNscStJzpqZfmjstLFYtuvfKc2TMicK6xbag=DbztafCQ@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Thu, 09 Jan 2020 12:13:00 -0800
Message-ID: <CAChr6Sy1X7a7cJdUpXnriH3by16SjEaxA3DLc9onfSkbM0i7fw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Sara Dickinson <sara@sinodun.com>, last-call@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, draft-ietf-dprive-rfc7626-bis.all@ietf.org
Content-Type: multipart/alternative; boundary="00000000000072cd41059bbaa34f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/a9VwKnbxOwpJUePQX0yZfYtLQoU>
Subject: Re: [dns-privacy] [Last-Call] last call review of draft-ietf-dprive-rfc7626-bis-03
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 20:13:15 -0000
On Thu, Jan 9, 2020 at 10:30 AM Eric Rescorla <ekr@rtfm.com> wrote: > > On Thu, Jan 9, 2020 at 10:02 AM Sara Dickinson <sara@sinodun.com> wrote: > >> >> It means a standards compliant DoT implementation will have no client >> identifiers, a standards compliant DoH implementation is free to (and >> likely) to include them. >> > > [Citation needed] > > -Ekr > I also found this explanation lacking. When the draft states "the wide practice in HTTP to use various headers to optimize HTTP connections, functionality and behaviour (which can facilitate user identification and tracking)" Which headers is this statement referring to, and which optimizations? > > >> >> I think the Section 8.2 of RFC8484 states this problem better. Why do we >> need this section? >> >> https://tools.ietf.org/html/rfc8484#section-8.2 >> >> >> As others have mentioned - this document gives an overall discussion of >> privacy across all DNS protocols, RFC8484 is focussed on the DoH specific >> aspects. >> >> >> >> >>> ones with PKI and PGP are clearly out of scope for this document. >>> >> >> I didn't mention PGP--I was talking about misrouting (BGP). I disagree >> that they are out of scope. Most of the larger TLS use cases rely on PKI. >> >> >> I meant BGP - it was a typo. Section 2 currently states: >> >> “The privacy risks associated with the use of other protocols, e.g., >> unencrypted TLS SNI extensions or HTTPS destination IP address >> fingerprinting are not considered here.” >> > Except the draft does spend a lot of time discussing HTTPS, in a speculative way that frames the issues as though DoT doesn't have these problems. It's true that there are two places to put metadata in DoH, but DoT suffers from all the same risks nevertheless. It's perfectly possible to add metadata to a DoT request at the TLS layer, and that data could identify users or clients, just as the draft claims is the case "if DoH clients commonly include several headers in a DNS message (e.g., user-agent and accept-language)...". thanks, Rob
- [dns-privacy] Secdir last call review of draft-ie… Stephen Farrell via Datatracker
- Re: [dns-privacy] Secdir last call review of draf… Sara Dickinson
- Re: [dns-privacy] Secdir last call review of draf… Eric Rescorla
- Re: [dns-privacy] Secdir last call review of draf… Stephen Farrell
- Re: [dns-privacy] [secdir] Secdir last call revie… Benjamin Kaduk
- Re: [dns-privacy] [Last-Call] [secdir] Secdir las… Rob Sayre
- Re: [dns-privacy] [secdir] Secdir last call revie… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Christian Huitema
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Vittorio Bertola
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Sara Dickinson
- Re: [dns-privacy] [Last-Call] last call review of… Eric Rescorla
- Re: [dns-privacy] [Last-Call] last call review of… Rob Sayre
- Re: [dns-privacy] [Last-Call] last call review of… Stephane Bortzmeyer
- Re: [dns-privacy] [Last-Call] last call review of… Eric Rescorla
- Re: [dns-privacy] [secdir] Secdir last call revie… Benjamin Kaduk