IETF Logo Mail Archive

Re: [Doh] New Privacy Considerations Section Proposal

Patrick McManus <pmcmanus@mozilla.com> Wed, 20 June 2018 23:03 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DE37130EDE for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 16:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjbdnhz9Ops1 for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 16:03:18 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 4E851130F07 for <doh@ietf.org>; Wed, 20 Jun 2018 16:03:18 -0700 (PDT)
Received: from mail-ot0-f178.google.com (mail-ot0-f178.google.com [74.125.82.178]) by linode64.ducksong.com (Postfix) with ESMTPSA id E34B83A042 for <doh@ietf.org>; Wed, 20 Jun 2018 19:03:16 -0400 (EDT)
Received: by mail-ot0-f178.google.com with SMTP id l15-v6so1400870oth.6 for <doh@ietf.org>; Wed, 20 Jun 2018 16:03:16 -0700 (PDT)
X-Gm-Message-State: APt69E3NjOzwc5OtLhS+SfX9spxNnm28pFxU8mxq5N0tGRDpfwCpy7Iz gZf4qdx4gR8ErI7J06Nrwz2GoGw6Wqhsj93hch0=
X-Google-Smtp-Source: ADUXVKIdx36L8qIhzrGSMuXuQUjaiKIPmKk/Rgu7KwBqVBnU6utNfT0ELaxsZjRZ/MANQBWGYP2gUFl339iRKJ0baGA=
X-Received: by 2002:a9d:1bd6:: with SMTP id v22-v6mr14943886otv.85.1529535796586; Wed, 20 Jun 2018 16:03:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a32:0:0:0:0:0 with HTTP; Wed, 20 Jun 2018 16:03:15 -0700 (PDT)
In-Reply-To: <CA+9kkMDt03Uv6UvtZw=mvo=+6dprGqUDMkC7Ef6bd=kb6vX_Fg@mail.gmail.com>
References: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com> <CA+9kkMDt03Uv6UvtZw=mvo=+6dprGqUDMkC7Ef6bd=kb6vX_Fg@mail.gmail.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 20 Jun 2018 19:03:15 -0400
X-Gmail-Original-Message-ID: <CAOdDvNrjZu-q63DUhNjf7fYjNux2ewv4DTZkGPvFRrGfBBJFMA@mail.gmail.com>
Message-ID: <CAOdDvNrjZu-q63DUhNjf7fYjNux2ewv4DTZkGPvFRrGfBBJFMA@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3af34056f1acd00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/190prGOljOiZX_q7JPvyHq5ByAs>
Subject: Re: [Doh] New Privacy Considerations Section Proposal
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 23:03:30 -0000

On Wed, Jun 20, 2018 at 6:14 PM, Ted Hardie <ted.ietf@gmail.com> wrote:

> Repeating the comment I made at Github:
>
> Is there a reason not to make a recommendation for the case of a DOH-only
> service?  The current text says:
>
> Implementations of DoH clients and servers need to consider the benefit
> and privacy impact of all these features, and their deployment context,
> when deciding whether or not to enable them.
>
> Would you consider a recommendation like "For DOH clients which do not
> intermingle DOH requests with other HTTP suppression of these headers and
> other potentially identifying headers is an appropriate data minimization
> strategy."?
>
>
there are some practical problems there. Big picture you need to weigh the
reasons these things get used in your implementation decisions. Its not
like TLS didn't know they had built a tracker with session tickets, yet
dprive recommended its use anyhow :)

every http feature has a reason an implementation might want want it in
doh. cookies can do useful things for auth. new compression algorithms
(which create a fingerprint on introduction just as surely as UA does)
enable better performance. etc.. UA strings have kept the web runinng, for
good and bad, across many unanticipated bugs for many years.. I'm not
saying those arguments win the day but its not really DoH's place to change
the properties of HTTP. Alt-Service provides great load balancing and
protocol evolution, but its basically a cache with a tracking implication
too.

It is an important goal of this work to leverage the HTTP ecosystem -
stripping out all the HTTP parts and leaving a tunnel doesn't give it any
value.

The picture is also complicated by the end to end message semantics of http
headers and how they interact with the hop to hop transport semantics of
the client or server. i.e. the notion of intermingle is not e2e, but
headers are. That's not really a driver, but something to keep in mind when
considering the limitations of text.

I'm more inclined in general to use words along the lines of "should use
the minimal set of data that can achieve the desired feature set." if
that's helpful, but I'm not eager to start working through individual
design decisions.

v2.23.0 | Report a Bug | By Email