Re: [Doh] WGLC #2
Tom Pusateri <pusateri@bangj.com> Wed, 23 May 2018 21:53 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8299A12D7F0 for <doh@ietfa.amsl.com>; Wed, 23 May 2018 14:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqbTTW5cyiKU for <doh@ietfa.amsl.com>; Wed, 23 May 2018 14:53:34 -0700 (PDT)
Received: from oj.bangj.com (amt0.gin.ntt.net [129.250.11.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD85912D7E6 for <doh@ietf.org>; Wed, 23 May 2018 14:53:34 -0700 (PDT)
Received: from [172.16.25.109] (69-77-155-155.static.skybest.com [69.77.155.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 180C58B6; Wed, 23 May 2018 17:52:00 -0400 (EDT)
From: Tom Pusateri <pusateri@bangj.com>
Message-Id: <64EB3BCA-64D2-47DB-8F0E-D323451F0025@bangj.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_136F8290-5062-436C-9E3C-69978EE11E5D"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Wed, 23 May 2018 17:53:32 -0400
In-Reply-To: <CAOdDvNrW0qGn1V1s+fWhtn+LV-YiNEu66wp030_Jv-7EW2WhgA@mail.gmail.com>
Cc: Sara Dickinson <sara@sinodun.com>, DoH WG <doh@ietf.org>, "Hewitt, Rory" <rhewitt=40akamai.com@dmarc.ietf.org>
To: Patrick McManus <pmcmanus@mozilla.com>
References: <CAHbrMsCxkogJ-fzubf7cPgvbeGAhWUFKV3crrmn4ee6=fDnqwQ@mail.gmail.com> <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com> <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com> <CAOdDvNrW0qGn1V1s+fWhtn+LV-YiNEu66wp030_Jv-7EW2WhgA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/7ZYYUpyGdYLpnL9ya4iN8Hki-GQ>
Subject: Re: [Doh] WGLC #2
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 21:53:38 -0000
> On May 23, 2018, at 5:44 PM, Patrick McManus <pmcmanus@mozilla.com> wrote: > > > > On Tue, May 22, 2018 at 11:37 AM, Sara Dickinson <sara@sinodun.com <mailto:sara@sinodun.com>> wrote: > > 1) I previously asked if this spec required that a DNS API Sever should only be used if authentication of the TLS connection was successful. I got conflicting answers from Paul and Martin (‘No we can’t say that’ vs ‘authentication is critical and implicit’) and don’t see anything in this version that resolves this. I know there is other work attempting to address this issue (and more) but the lack of clarity in this document on the topic is still an issue for me. I’d still like to see a single sentence that either > - makes clear the requirement (preferable) or > - states that this is out of scope > > > Martin is right - I'm not sure where the confusion originated. Authentication is part of HTTPS. I know dprive went down the road of opportunistic security, but that's not something HTTPS does. (plaintext http:// might, but we're pretty clear about doh steering clear of that.) > > https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/186 <https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/186> > > does this work? > > -DNS API client MUST only use a DNS API server that is configured as trustworthy. > +DNS API client MUST only use a DNS API server that is configured as > +trustworthy. {{RFC2818}} defines how HTTPS verifies the identity of > +a connection with the trusted service. How do you define trustworthy? This seems like it would vary for different clients and servers in different environments. Trustworthiness isn’t binary although somewhere along a sliding scale, it crosses a threshold where you are willing to configure it. But that threshold is different for each client / user. I don’t think trustworthiness is something the document can require,. especially with RFC 2119 language. Tom
- [Doh] WGLC #2 Ben Schwartz
- Re: [Doh] WGLC #2 Hewitt, Rory
- [Doh] "Selection of DNS API Server": make it a co… Mateusz Jończyk
- Re: [Doh] WGLC #2 Sara Dickinson
- Re: [Doh] WGLC #2 Mateusz Jończyk
- Re: [Doh] WGLC #2 Mateusz Jończyk
- Re: [Doh] WGLC #2 Hewitt, Rory
- Re: [Doh] WGLC #2 Patrick McManus
- Re: [Doh] WGLC #2 Tom Pusateri
- Re: [Doh] WGLC #2 Patrick McManus
- Re: [Doh] WGLC #2 Patrick McManus
- Re: [Doh] WGLC #2 Tom Pusateri
- Re: [Doh] WGLC #2 Patrick McManus
- Re: [Doh] WGLC #2 Patrick McManus
- [Doh] Draft -09 and WGLC #2 Paul Hoffman
- Re: [Doh] Draft -09 and WGLC #2 Andrew Sullivan
- [Doh] A question of trust (was Re: Draft -09 and … Martin Thomson
- Re: [Doh] A question of trust (was Re: Draft -09 … Patrick McManus
- Re: [Doh] A question of trust (was Re: Draft -09 … Mark Nottingham
- Re: [Doh] A question of trust (was Re: Draft -09 … Martin Thomson
- Re: [Doh] Draft -09 and WGLC #2 Patrick McManus
- Re: [Doh] Draft -09 and WGLC #2 Andrew Sullivan
- Re: [Doh] A question of trust (was Re: Draft -09 … Sara Dickinson
- Re: [Doh] WGLC #2 Ben Schwartz
- Re: [Doh] A question of trust (was Re: Draft -09 … Mateusz Jończyk
- Re: [Doh] WGLC #2 Martin Thomson
- Re: [Doh] A question of trust (was Re: Draft -09 … Patrick McManus
- Re: [Doh] A question of trust (was Re: Draft -09 … Patrick McManus
- Re: [Doh] Draft -09 and WGLC #2 Patrick McManus
- Re: [Doh] A question of trust (was Re: Draft -09 … Andrew Sullivan
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Paul Hoffman
- Re: [Doh] Draft -09 and WGLC #2 Andrew Sullivan
- Re: [Doh] A question of trust (was Re: Draft -09 … Patrick McManus
- Re: [Doh] A question of trust (was Re: Draft -09 … Mateusz Jończyk
- Re: [Doh] A question of trust (was Re: Draft -09 … Patrick McManus
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Sara Dickinson
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Paul Hoffman
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Andrew Sullivan
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Paul Hoffman
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Mateusz Jończyk
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Paul Hoffman
- Re: [Doh] [Ext] A question of trust (was Re: Draf… Mateusz Jończyk