Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
Paul Wouters <paul@nohats.ca> Thu, 22 December 2016 17:11 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9F012971B for <dnsop@ietfa.amsl.com>; Thu, 22 Dec 2016 09:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YLFiN5GE4DJ for <dnsop@ietfa.amsl.com>; Thu, 22 Dec 2016 09:11:09 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D4E129712 for <dnsop@ietf.org>; Thu, 22 Dec 2016 09:11:06 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3tkyj33QFtz45X for <dnsop@ietf.org>; Thu, 22 Dec 2016 18:11:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1482426663; bh=QpJrm80Ug4kZBLSbOszyH4YQKWcyoMjousOIlWaMiVE=; h=Date:From:To:Subject:In-Reply-To:References; b=PtbeAESyR71L8vZpObiP5tz4ptDUDW5pfRRHm492gWG/ZlzLdu8/YLKQgV6bFpIS2 OcvPFKx+573zxuvOFCrfF9Pvpvk9BBmxmVq9Ir8LySIkRNmrWBGQ0HCi7jYv3XNZoC 2kp8ajHmI3zHNV6EVERvWCI1BEOrkJtBhcn/kgGQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 17_0aKTgWajQ for <dnsop@ietf.org>; Thu, 22 Dec 2016 18:11:01 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Thu, 22 Dec 2016 18:11:01 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 496E4919; Thu, 22 Dec 2016 12:10:59 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 496E4919
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 354EE4164323 for <dnsop@ietf.org>; Thu, 22 Dec 2016 12:10:59 -0500 (EST)
Date: Thu, 22 Dec 2016 12:10:59 -0500
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <201612221536.uBMFacG2039081@calcite.rhyolite.com>
Message-ID: <alpine.LRH.2.20.1612221150560.2454@bofh.nohats.ca>
References: <201612221536.uBMFacG2039081@calcite.rhyolite.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rJr6Kire53XeODSPDfW6R80KYog>
Subject: Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 17:11:11 -0000
On Thu, 22 Dec 2016, Vernon Schryver wrote: > SERVFAIL signaling DNSSEC validation failure is the equivalent to an > HTTP 4yz failure status. Neither is a full and open disclosure to end > users that censorship has occurred, because in both cases end users > only understand that the internet is broken. When using HTTPS, I can tell the 4xx failure is from a legitimate source (the publisher) or a middle man proxy/filter system. A SERVFAIL (or BOGUS/INDETERMINATE answer if chained to my own resolver) does not tell me if this came from a legitimate source or an intermediary. > But on the real Internet, HTTP 4yz results do not signal censorship, > because great firewalls, HTTP(S) proxies, and compliant PKI CAs are > used for invisible censorship, content injection, etc. Which is why we now have Certificate Transparency ("trans" working group) in RFC6962 and soon 6962bis, and DANE/TLSA. These are IETF efforts to ensure that we can see a distinction between (optin) censorship and MITM attacks. >> Protocol signalling can help, but it is a relatively trivial matter >> compared to how the blocking technology is explained to the people who are >> affected by it. > > I don't agree. While my Aunt Mildred might understand the instructions > of a walled garden the next time she infects her computer, she'll never > understand RPZ, HTTPS proxies, or even firewalls. Even if she had the > wit, she lacks the interest. This is a red herring. No one is suggesting any visible changes for Aunt Mildred. But what we do want is for experts to be able to determine the type of censorship and the actor involved. So we have accountability. > More important is that while DNS and HTTP lies can be used in open, > transparent, and virtuous ways, they won't be in the cases that justify > concern. Perhaps that is why among the thundering about ethics, human > rights, honesty, evil, and that the draft must never ever in a million > years be accepted without warning text, no text has been proposed. I > do not see how a principled stand for DNS honesty could accept any > warning text (or protocol signalling). Some of us were not advocating for such text, although some text is surely appropriate for the Security Considerations or Privacy Considerations sections. Instead, I advocated for simple accountability by ensuring the censored are able to determine the censor. The IETF has undertaken some responsibility with respect to internet protocols and their impact on society. If you want the IETF stamp of, approval, those are the implications. Paul
- [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Schmit
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Adrien de Croy
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt bert hubert
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ralf Weber
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Evan Hunt
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Allan Liska
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Jim Reid
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Olafur Gudmundsson
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt ac
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt william manning
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ray Bellis
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Ted Lemon
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Scott Morizot
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt sthaug
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Tony Finch
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Paul Wouters
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt John Levine
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Vernon Schryver
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt Mukund Sivaraman
- Re: [DNSOP] I-D Action: draft-vixie-dns-rpz-04.txt David Conrad