Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Patrick McManus <mcmanus@ducksong.com> Tue, 26 March 2019 11:02 UTC
Return-Path: <mcmanus@ducksong.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB93D1202C9 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=SObeb1lz; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=X3ukAotW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZXRVXJy8E60 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:02:56 -0700 (PDT)
Received: from outbound1h.ore.mailhop.org (outbound1h.ore.mailhop.org [54.149.35.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C867F1202BD for <doh@ietf.org>; Tue, 26 Mar 2019 04:02:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553598176; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=Oh99W47QQjeuoYGm9d3U+OzK9KjJFaZ6vJYy11B/WWdZifSePkzQuE62+MpURkDOMb7f2JnPzdfJ9 ENjUb5Eaun2FLbuzJ3p75a5GEzAEaOyKCypw5kgNHdAAvQop+Pjp4ZnIZ+5ajYJGbtd2astWkXF7wD X3zr79CJWM71v6TyBUa4xj6HXnky3Nh+FzG2KomGdC6P7WhPwNFUhmdFOw1iAXJbNM+25fwmeQTlqG CFG/lJw3e5PPAeksyYbgHUfIot4ZY2wyq5GHu0yPgZSwRkG1If89/yZF7P2kyXCEpG/OJ4jn08hixu 042Yn1juzhX8xHy73nruo+0rm6wZdEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=4b3Wav9ETunCHoWzkAIiii3ndyrSsqWwLhtWo8iMwNs=; b=D1peKBa0InU7yGiILe9x3XGtzRV4NTaA8d3j+R4SoL2218G1mrpFPbh4lunaf3q+T2fSbwrHPIfwp xnQ5EkaskQ4oh0CQco1KWE5s4lDdwFPWjWXuah4xrP8bFxOgj/FKTOlkwkxaKIzlHAzmlidfTqotd5 hLtvqllJDqUAiQJPvPLif9xjfkUXd1yeVFrnWf7klI23YqYONbi6HonCreMiJenHKCPcNnbBhojb26 zdEUXWHmvoqzRumpUzDx5OhS7jGHx+ZCdzhhyRRKpLvX7Cd9DQlLopWIDcoV4OyH7bwgmxsN0Zy84d sJ9RYUtKA/yRd0kPcqVIKIjAkTKRhnQ==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.45; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=4b3Wav9ETunCHoWzkAIiii3ndyrSsqWwLhtWo8iMwNs=; b=SObeb1lzb10JErNpoTX4vC1RDV968b2CDgP/7Mdd1FDpI5M3pgfyGMqkBWgh/Axb9VLzVmMiWJqWq /+eO4TYcJYCXWH6Fj8c1UkATrE+t3D889vQ8F+eiI0shzQB9GhAolmDY8cuuICjMeN1qTukQBrEmD3 pJTBZU8Bt0LcgSfg=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-low; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=4b3Wav9ETunCHoWzkAIiii3ndyrSsqWwLhtWo8iMwNs=; b=X3ukAotWWiZ4EEQPDoxVvWWwBF1QOnfkAUNRw0LBVVCRlwrCbCEqnxo2vuY23hPa37jvtgwzqtpGg IloZFcE1yJ0BO6JvrAb9cAV7mj43TZuGgctTSJe4mXlN36+y3opo0AghNji+IHupvLIAarqTLlj+hc cJvByjm1h0mMiXr8immcTXjgfBAubCk09mZ+qrd4CtraaMFXGExxGMzXohJdVSZxc7r8XikcTphE7J k8lOxZYR0VT4n9n4bN5YjW3rc8aP7wljVzCnypMyZbVZa/7wR33K9Ef7B5yhPxow56Oex5cG88QyDe ydHL4jmRvotAF86zK1RKKkDLbNXpmMg==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: b452bd91-4fb6-11e9-9bb1-1f29e4676f89
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.45
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f45.google.com (unknown [209.85.210.45]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id b452bd91-4fb6-11e9-9bb1-1f29e4676f89; Tue, 26 Mar 2019 11:02:54 +0000 (UTC)
Received: by mail-ot1-f45.google.com with SMTP id u15so11000808otq.10 for <doh@ietf.org>; Tue, 26 Mar 2019 04:02:54 -0700 (PDT)
X-Gm-Message-State: APjAAAXItI0flXe6PKiAmkY6MWIF8qeusfD86QpKSs+QhVaFKJxKEMbc eaT549REQ5IgGIw7ZRxp9ox5JYVVzjmL0rO9CBo=
X-Google-Smtp-Source: APXvYqyOHj5CujcS17Vz76wwbyivroXwqZQFQUyCPXPsU/97hIJHkg+Td3kpXS2SO0NfXwEhLEL+reAvy5MeZwCGosk=
X-Received: by 2002:a9d:de4:: with SMTP id 91mr20012263ots.5.1553598173787; Tue, 26 Mar 2019 04:02:53 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net> <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com> <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com> <CAFpG3ge3D+trHPTvXGARgmyrCsxeFbQhSX--nUdT9-5t0xN7Tg@mail.gmail.com>
In-Reply-To: <CAFpG3ge3D+trHPTvXGARgmyrCsxeFbQhSX--nUdT9-5t0xN7Tg@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 26 Mar 2019 12:02:42 +0100
X-Gmail-Original-Message-ID: <CAOdDvNp=K6Z6fjXeog9rbx-rFa3spdpaw4iojDweY+R45y==Sg@mail.gmail.com>
Message-ID: <CAOdDvNp=K6Z6fjXeog9rbx-rFa3spdpaw4iojDweY+R45y==Sg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000045bef80584fd43b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/D1GfMyeabSXnPlxC-9wzFJATWmw>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 11:03:00 -0000
I'm sorry - I quoted your draft name when I was referring to Paul's. On Tue, Mar 26, 2019 at 11:46 AM tirumal reddy <kondtir@gmail.com> wrote: > On Tue, 26 Mar 2019 at 11:25, Patrick McManus <mcmanus@ducksong.com> > wrote: > >> >> >> On Tue, Mar 26, 2019 at 9:48 AM tirumal reddy <kondtir@gmail.com> wrote: >> >>> >>> Agreed, and with our proposal in >>> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02, >>> the query for URI templates can use FQDN instead of >>> IP address, and the HTTPS server certificate can be validated by the DoH >>> client. >>> >>> >> right. The weakness here is that validating a name that probably comes >> from an unauthenticated source is not a very strong signal. >> > > No, the name is coming from a authenticated source. The explicit trust > store to validate the local DoH server certificate can also be used to > validate the S-NAPTR lookup > response is authentic using DNSSEC. > > >> That seems inherent in the draft, but maybe worth calling out more >> explicitly. >> >> otoh - and out of scope for this draft - the DoH client could do some >> kind of validation beyond the name.. like looking for a x509 attribute (and >> cross signature) indicating some kind of better-business like endorsement >> of privacy practices. >> > > The draft discusses a privacy certificate extension that helps the endpoint > identify the privacy preserving data policy of the DNS > server. The extension contains a URL that points to the privacy > preserving data policy. > > > >> So I think validation in the scope of associated-resolver is a desirable >> property even though the usually validated thing, the name, is a little >> less valuable here. >> > > The name is a reference identifier for validating the local DoH server > certificate. > > Cheers, > -Tiru > > >> >> >> >
- [Doh] I-D Action: draft-ietf-doh-resolver-associa… internet-drafts
- [Doh] New version: draft-ietf-doh-resolver-associ… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Joseph Lorenzo Hall
- Re: [Doh] New version: draft-ietf-doh-resolver-as… nusenu
- Re: [Doh] [Ext] Re: New version: draft-ietf-doh-r… Paul Hoffman
- Re: [Doh] I-D Action: draft-ietf-doh-resolver-ass… Stephane Bortzmeyer
- Re: [Doh] [Ext] I-D Action: draft-ietf-doh-resolv… Paul Hoffman
- [Doh] Authentication in draft-ietf-doh-resolver-a… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Ralf Weber
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] Re: Authentication in draft-ietf-… Paul Hoffman
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Erik Nygren
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Erik Nygren
- Re: [Doh] [EXTERNAL] Re: Authentication in draft-… Winfield, Alister
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Thomas Peterson