Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy

Sara Dickinson <sara@sinodun.com> Thu, 27 October 2016 13:45 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 238B31294F5 for <dns-privacy@ietfa.amsl.com>; Thu, 27 Oct 2016 06:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6sXyTMi_JvP for <dns-privacy@ietfa.amsl.com>; Thu, 27 Oct 2016 06:45:41 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9FEB1293EE for <dns-privacy@ietf.org>; Thu, 27 Oct 2016 06:45:31 -0700 (PDT)
Received: from [62.232.251.194] (port=14401 helo=virgo.sinodun.com) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <sara@sinodun.com>) id 1bzkzc-0003pe-Pt; Thu, 27 Oct 2016 14:45:27 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <28B31793-B7D7-4DE5-B9A2-12AE639EC26C@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7331E27B-38EC-45BD-9989-F327C9332F16"
Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\))
Date: Thu, 27 Oct 2016 14:45:18 +0100
In-Reply-To: <2203A3DE-5A8A-4364-ABAB-B8BA9BB19FDF@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <2203A3DE-5A8A-4364-ABAB-B8BA9BB19FDF@vpnc.org>
X-Mailer: Apple Mail (2.3226)
X-OutGoing-Spam-Status: No, score=-2.9
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: shcp01.hosting.zen.net.uk: sara@sinodun.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/mRkdK_Rfd46ZZUAmtmq0b2bNs1M>
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] draft-ietf-dprive-dtls-and-tls-profiles: strict privacy
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Oct 2016 13:45:43 -0000

> On 23 Oct 2016, at 00:26, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> Greetings. The tone in Section 4 about strict privacy seems completely wrong to me. I recognize that there some users really want to be able to configure strict privacy for themselves, but the text in the section ignores the fact that if strict privacy cannot be achieved in a particular session, a user is likely to turn off DNS-over-TLS. The text here makes opportunistic privacy seem like a weak second cousin, not a legitimate choice for people who want to encrypt where possible. If a user sees "you can't use the Internet because of your setting for DNS over TLS", the result will be less overall privacy than if the document primarily emphasizes opportunistic privacy, and describes strict privacy only for those users who are willing to have no internet connectivity at some times.

Hi Paul, 

We started but didn’t conclude a similar, smaller scale discussion during your review of the -03 version. Based on that discussion I proposed the following text for the end of section 4:

"Strict Privacy provides the strongest privacy guarantees and therefore SHOULD
always be implemented in DNS clients along with Opportunistic Privacy.

A DNS client that implements DNS-over-(D)TLS SHOULD NOT default to the use of
clear text (no privacy). 

The choice between the two profiles depends on a number of factors including
which is more important to the particular client:
*  DNS service at the cost of no privacy guarantee (Opportunistic) or
*  guaranteed privacy at the potential cost of no DNS service (Strict).

Additionally the two profiles require varying levels of configuration (or a
trusted relationship with a provider) and DNS server capabilities therefore DNS
clients will need to carefully select which profile to use based on their 
communication privacy needs. 

A DNS server that implements DNS-over-TLS SHOULD provide at least one credential
in order that those DNS clients that wish to do so are able to use Strict
Privacy (see Section 2).”


I didn’t get any further feedback on this so didn’t include the text in the next version (which I really should have). I’d like to think we could work on improving this text to paint the correct picture of the 2 classes of user and which profile is most suitable for them? 

> 
> Also: why is "hard failure" the fourth bullet describing Opportunistic Privacy? That would only apply to Strict Privacy, correct?

Not necessarily. From RFC7435: “Opportunistic security protocols may hard-fail with peers for which a
   security capability fails to function as advertised. “

Sara.