Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
Tim Wicinski <tjw.ietf@gmail.com> Thu, 09 November 2023 16:21 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6752C1B0316 for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 08:21:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOaZTySNA5SR for <dnsop@ietfa.amsl.com>; Thu, 9 Nov 2023 08:21:42 -0800 (PST)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE98FC1E4E77 for <dnsop@ietf.org>; Thu, 9 Nov 2023 08:21:22 -0800 (PST)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-52bd9ddb741so1712963a12.0 for <dnsop@ietf.org>; Thu, 09 Nov 2023 08:21:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699546881; x=1700151681; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=K2/4gD36FWmMk7fhM2A/Pv0PKK1alUtvzxUPOpN0NxQ=; b=V2Ob7IhL1kipVCgCFmyqq+vJZ2Bxuq2K6PWWU2ZhXcC6LzYqDucfpltSpljq2Ebg6r ONtANARjP279qGJPovmj+2o2b5dIFQkZEwfpeYY2xJKOuU0NSicuXosTUu5EZIjaApVK SmNBYjdHm8N54qxAoEVaGQCKhz9GIpq6X+hnmB3P7W723674cI2iIsdh+kQyZs0Is9sl NP96Nl/LyqKEMnc+pxkrcbmg0/B/9qXDDhAiekY1H+qJEDCzEGe0PulOXg5XVIB3uwar pUJA21Djhmhclb9QvBDVtyqePr/UQqh0UJJMgFlp5nH8bAiFx6VUlumq9H64PLjZLw34 Y0UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699546881; x=1700151681; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=K2/4gD36FWmMk7fhM2A/Pv0PKK1alUtvzxUPOpN0NxQ=; b=lGSuRCpCNrTyavYqqvNbtiPpEzx4d9283rAmRviJjvTYCESXTZ4j15vnVnE1gNQXka VaK3/jKyN0XKduY1IPArqzbEmPRwd89wLv28mkAOzHCYY/5ElZ3SjE+muvGFtvhQhzS8 oaKCkVUM4fPZjEWz/isapRIOJsbycG7cqP72TP9mk0GSKcw4GYuvzcA8iLHgNnTBVNkm 5ImI7Crlp5+qG4goia6cwnHnT9A6tqgq7BrItQ/eNAD41XjQSsZ8zNDZEAEFMBZY1JeS b8u+mX02bNtjC1WzoMBpasRYgSxXcmEBQk9QAd8xyzUsreE3+rIxgUo7Nx4JfbXYrQlO unVA==
X-Gm-Message-State: AOJu0Ywbi/D1m7tHR9n3oYiXVvQnnuLJCFu+sH3Ua+ReFNznybG70xF0 AkHNQi2RfnTa1d8iqmbotgONlI4uUScKr13gWTo=
X-Google-Smtp-Source: AGHT+IGO/182OqnDNLqYetFvZHVsyB1OZFYwHk7NjxBW/t1rPQlSHoe1DogNTQ/9QNLWTwxnJYwK8a7shcv60LgGW44=
X-Received: by 2002:a17:906:4fd0:b0:9dd:dc2a:eb8b with SMTP id i16-20020a1709064fd000b009dddc2aeb8bmr4934622ejw.41.1699546880862; Thu, 09 Nov 2023 08:21:20 -0800 (PST)
MIME-Version: 1.0
References: <DB9PR05MB8473EE94D86348FF1E8207EAA3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com> <BN8PR15MB32817912282A69869281090DB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com> <CADyWQ+FtytyMmwzBjvW=upDzC1HCbfUXOyD6sEyDK5dr5gQfMw@mail.gmail.com> <BN8PR15MB32814A8A9E26BD1672B8104FB3AFA@BN8PR15MB3281.namprd15.prod.outlook.com> <DB9PR05MB8473050AB3D79D47709D29A4A3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
In-Reply-To: <DB9PR05MB8473050AB3D79D47709D29A4A3AFA@DB9PR05MB8473.eurprd05.prod.outlook.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 09 Nov 2023 11:21:09 -0500
Message-ID: <CADyWQ+HhWGHJp=pm2==LHYgTTZKvgeDGWY1EM-k6zA7bZi6R+g@mail.gmail.com>
To: "Gianpaolo Angelo Scalone, Vodafone" <Gianpaolo-Angelo.Scalone@vodafone.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Ben Schwartz <bemasc@meta.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001cef2f0609ba9885"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vYepcGggGvkRs5Ne4DBW3AShLHs>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2023 16:21:43 -0000
Thanks both of you - I knew I was missing this when I hit send. tim On Thu, Nov 9, 2023 at 11:20 AM Gianpaolo Angelo Scalone, Vodafone < Gianpaolo-Angelo.Scalone@vodafone.com> wrote: > Hi Tim , > I'm not proposing that the browser shows an https page in any use case, > Only as result of out of band request or if received from well known > service, > Eventually by creating a service for hosting well known high reputation > static only blocking pages. > Without this the user remain subject to false positives without being able > to request a reclassification, > Resulting in potentially unwanted censorship... > > Gianpaolo > > Inviato da Outlook per Android <https://aka.ms/AAb9ysg> > > > C2 General > ------------------------------ > *Da:* Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> > *Inviato:* Giovedì, Novembre 9, 2023 5:14:26 PM > *A:* Tim Wicinski <tjw.ietf@gmail.com>; Ben Schwartz <bemasc@meta.com> > *Cc:* Gianpaolo Angelo Scalone, Vodafone < > Gianpaolo-Angelo.Scalone@vodafone.com>; dnsop@ietf.org <dnsop@ietf.org> > *Oggetto:* Re: [DNSOP] I-D Action: > draft-ietf-dnsop-structured-dns-error-07.txt > > *External Email:* Be cautious about the sender email address, attachments > and links. If uncertain use Report Message button. > > Tim, > > The EDE error codes cover that use case already, by allowing the browser > to generate that error page, and without requiring the DNS filter to run an > HTTP server at all. > > --Ben Schwartz > ------------------------------ > *From:* DNSOP <dnsop-bounces@ietf.org> on behalf of Tim Wicinski < > tjw.ietf@gmail.com> > *Sent:* Thursday, November 9, 2023 10:48 AM > *To:* Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> > *Cc:* Gianpaolo Angelo Scalone, Vodafone <Gianpaolo-Angelo.Scalone= > 40vodafone.com@dmarc.ietf.org>; dnsop@ietf.org <dnsop@ietf.org> > *Subject:* Re: [DNSOP] I-D Action: > draft-ietf-dnsop-structured-dns-error-07.txt > > On Thu, Nov 9, 2023 at 10: 02 AM Ben Schwartz <bemasc=40meta. com@ dmarc. > ietf. org> wrote: Note that "mailto" URIs can pre-populate subject and body > contents, so information about the specific blocked item and other metadata > could > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > > ZjQcmQRYFpfptBannerEnd > > > On Thu, Nov 9, 2023 at 10:02 AM Ben Schwartz <bemasc= > 40meta.com@dmarc.ietf.org> wrote: > > Note that "mailto" URIs can pre-populate subject and body contents, so > information about the specific blocked item and other metadata could be > populated automatically. This seems sufficient for enterprise use cases > like allowing employees to tell corporate IT that they are blocking > something incorrectly. > > HTTP error pages are primarily relevant to end users on personal devices > whose access is being blocked by their ISP. That is not an environment in > which it is safe or appropriate for the network to inject block pages. > > > Ben > > In the Enterprise case , the end user does need to see some simple web > based feedback. My employer's Firewalls throw up a very basic "You can not > go to example.com". > > tim > > > > --Ben Schwartz > ------------------------------ > *From:* DNSOP <dnsop-bounces@ietf.org> on behalf of Gianpaolo Angelo > Scalone, Vodafone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org> > *Sent:* Thursday, November 9, 2023 4:08 AM > *To:* dnsop@ietf.org <dnsop@ietf.org> > *Subject:* Re: [DNSOP] I-D Action: > draft-ietf-dnsop-structured-dns-error-07.txt > > Hi, I still think that a mechanism to reach an HTTPS resource is needed. > Considering the security implications of rendering directly an HTTPS URI, > It could be an additional field, to be used by the client For out of band > connection to retrieve > > Hi, > > I still think that a mechanism to reach an HTTPS resource is needed. > > Considering the security implications of rendering directly an HTTPS URI, > > It could be an additional field, to be used by the client > > - For out of band connection to retrieve the needed page info from > resolvers with high reputation that have agreements with the browser > - To connect to an high reputation service (to be created) having the > only purpose to host blocking pages on behalf of the various DNS filtering > services > - This high reputation service would be defined in a separated RFC > - Access criteria and content to be defined > - Management criteria to be defined > > > > Having such a service would allow to access high reputation information > about the eventual blocking reason and provide the end user modern methods > to understand the blocking or request an amendment in case of false > positives. > > > > The mechanism proposed in draft-ietf-dnsop-structured-dns-error-07.txt is > a big improvement respect the existing situation, but still requires some > knowledge that common users may not have and so limit the capability to > require amendments only to users well educated on the topic. > > With a SIP contact or an EMAIL contact the end user should know what to > ask very well, with an HTTPS URI a request to amend the blocking could be > populated with the relevant information, empowering also less experienced > users (here we are sort of providing a pre internet solution to an internet > problem). > > > > Many countries request filtering of DNS traffic for CSAM or for Adult > Content Filtering reasons, so a good way to avoid false positives would > provide the population a better access to internet. > > > > Gianpaolo > > > > C2 General > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > >
- [DNSOP] I-D Action: draft-ietf-dnsop-structured-d… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tim Wicinski
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tim Wicinski
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber