[DNSOP] Review of draft-ietf-dprive-dtls-and-tls-profiles-03

"Paul Hoffman" <paul.hoffman@vpnc.org> Sat, 23 July 2016 03:18 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CB212D951 for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 20:18:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqvcpFiOGd6Z for <dnsop@ietfa.amsl.com>; Fri, 22 Jul 2016 20:18:49 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14CEF12D74E for <dnsop@ietf.org>; Fri, 22 Jul 2016 20:18:49 -0700 (PDT)
Received: from [10.47.60.28] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u6N3IkOe071327 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Fri, 22 Jul 2016 20:18:48 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.47.60.28]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: IETF DNSOP WG <dnsop@ietf.org>
Date: Fri, 22 Jul 2016 20:18:46 -0700
Message-ID: <26AB4E09-E95C-48EF-A1CD-ED70C38C7A04@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xcE6gKsbkx4O9Z_3X-wGTQf8EOM>
Subject: [DNSOP] Review of draft-ietf-dprive-dtls-and-tls-profiles-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2016 03:18:50 -0000

This document seems ready for WG Last Call. The comments I have hear can 
be dealt with before or during WG Last Call.

--Paul Hoffman

=====

The following text from section 4.2 still seems wrong:
    Since Strict Privacy provides the strongest privacy guarantees it is
    preferable to Opportunistic Privacy.
Strict Privacy is only preferable to users who would rather have an 
unusable Internet connection: an Internet connection where every DNS 
lookup in every application fails. Currently, that size of that set of 
users is incredibly small, although it might grow over time. The 
sentence above could lead developers to implement Strict Privacy without 
also implementing Opportunistic Privacy to the detriment of the vast 
majority of current Internet users.

Proposed replacement:
    Strict Privacy provides the strongest privacy guarantees and 
therefore should always be implemented along with Opportunistic Privacy. 
The negative implications of the two types of privacy are so radically 
different (a possibly-unusable Internet service for Strict Privacy; 
complete control of DNS responses for Opportunistic Privacy) that 
neither option can be considered a good default for all users.

=====

I have a significant concern about the discussion of 
draft-ietf-dprive-dnsodtls, which is listed as an informational 
reference. That document seems to be stalled again, which is 
unfortunate. If, during IETF review, someone insists that the DTLS 
document is in fact a normative reference (which would make sense if 
that document were finished), draft-ietf-dprive-dtls-and-tls-profiles 
will be blocked from publication.

Proposal: remove any mention of draft-ietf-dprive-dnsodtls from 
draft-ietf-dprive-dtls-and-tls-profiles. When (if?) 
draft-ietf-dprive-dnsodtls goes through WG Last Call, it can have a 
paragraph that says that the RFC that 
draft-ietf-dprive-dtls-and-tls-profiles has become applies to it.