Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

David Cake <dave@difference.com.au> Tue, 17 March 2015 18:17 UTC

Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_054DF935-5E8B-4707-87EC-541879C934D7"; protocol="application/pgp-signature"; micalg="pgp-sha256"
From: David Cake <dave@difference.com.au>
In-Reply-To: <6CF06CE1-FB50-4BD8-AF54-4CCAAEA93B0B@virtualized.org>
Date: Wed, 18 Mar 2015 02:17:22 +0800
Message-Id: <14E5A9B3-3C52-40A7-90AF-3632F5EC20B0@difference.com.au>
References: <CAFggDF0XX3v7yGsaCwFnE7cjK0yz4-frxFgoBJfnztO8k-LFBg@mail.gmail.com> <alpine.LFD.2.10.1503162052420.20709@bofh.nohats.ca> <D12DE3BF.B714%alecm@fb.com> <515E25C7-B711-4C41-8C8D-2B5A57DF9B1E@difference.com.au> <6CF06CE1-FB50-4BD8-AF54-4CCAAEA93B0B@virtualized.org>
To: David Conrad <drc@virtualized.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/2GkiB1MpNHMXeVwoHOGV8pWFSeQ>
Cc: Christian Grothoff <christian@grothoff.org>, Alec Muffett <alecm@fb.com>, dnsop <dnsop@ietf.org>, Richard Barnes <rlb@ipv.sx>, Mark Nottingham <mnot@mnot.net>, Brad Hill <hillbrad@fb.com>, Jacob Appelbaum <jacob@appelbaum.net>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt
Precedence: list

> On 18 Mar 2015, at 1:49 am, David Conrad <drc@virtualized.org> wrote:
>> 	As per that document, ICANN security team have been among the groups pressuring to have the local namespaces loophole closed for at least a couple of years now. And the problem has scuttled some gTLD applications that are regarded as too tainted by the issue already (e.g. .corp).
> 
> To be clear, the CA stuff isn't the sole reason applied for gTLDs like .corp were 'scuttled' -- the large number of queries for .corp and .home (in particular) seen at the root suggested the risk of name collision was too high (see https://datatracker.ietf.org/doc/draft-chapin-additional-reserved-tlds/ <https://datatracker.ietf.org/doc/draft-chapin-additional-reserved-tlds/>).

	Yes, quite right, there are a lot of issues with name collision in general, and those three in particular leak a lot. Decision not to delegate was wise.

> The risk of information leakage will remain as long as the query leaves the local machine (making the assumption that the local machine can be trusted).  This risk will remain as long as APIs/libraries do not consult the Special Names Registry and don't forward names in that registry to the DNS for lookup (read: a very long time). Qname Minimization may help in the future (assuming it moves forward), but given the circumstances of folks who rely on .onion, I don't think that can be relied upon.

	Yes, and in this respect .onion would be no different to other names on the Special Use Names list, so the list can be regarded as mitigating the issue at best.
	It isn’t the worst information leakage issue for most .onion users, and in general those issues, like this one, result from users using services that they intended to only access when tor is running when it is not ( e.g. associating a P2P GUID with non-TORed IP). There is a limited amount that can be done about that. The best communications security is still vulnerable to operational security failure. Which is no reason not to try.

	David

Attachment: signature.asc

Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Cake
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Rubens Kuhl
[DNSOP] discussion for draft-appelbaum-dnsop-onio… Jacob Appelbaum
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Paul Wouters
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Paul Wouters
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Christian Grothoff
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Richard Barnes
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Tim Wicinski
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Rubens Kuhl
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Cake
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Hugo Maxwell Connery
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Ted Lemon
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Rubens Kuhl
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Rubens Kuhl
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Tom Ritter
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Richard Barnes
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Andrew Sullivan
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Andrew Sullivan
[DNSOP] draft-grothoff (was Re: discussion for dr… David Conrad
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Ted Lemon
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Florian Weimer
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Edward Lewis
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Andrew Sullivan
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… joel jaeggli
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Warren Kumari
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… John Levine
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Andrew Sullivan
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Hugo Connery
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… hellekin
Re: [DNSOP] discussion for draft-appelbaum-dnsop-… Alec Muffett

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Attachment: signature.asc