IETF Logo Mail Archive

Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

Patrick McManus <mcmanus@ducksong.com> Tue, 26 March 2019 10:25 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A889B1202A3 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 03:25:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=r5OCA89Z; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=Q9Cs6Kl5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfv1UKatRnXn for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 03:25:53 -0700 (PDT)
Received: from outbound2r.ore.mailhop.org (outbound2r.ore.mailhop.org [54.200.129.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1E1B1202AF for <doh@ietf.org>; Tue, 26 Mar 2019 03:25:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553595952; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=vgco57d/F0zavJH+oXYg1eP6n2lys24FPaZx4wNuwzWTuQKghKFGWF5+83ilXWSq4NjnRLYryB/3A pi1yOS9e3TeSu6gd9YOGh4xI0RU9ANsWmGsTmrm0bmR0SdXdbVcIHJ/48Wnc1g4kbW8Itzu7nQfzwu JTauOO/NQe9WqWOFjFlFmRo/rZ1+WbiDmoQprMZicTP2EED1IO6z1qeJfFjQQIY7tjQEN27V2IkIZT wfyN6ObutKo4uogfOuMNtmh8MUaohFd49qSR/NNFpsxEjjfHheix+o25OcmhtmZPlsknlYWCJOykXc ib1JOxga/c2U7UtEBydOkW3GBfl1xng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=pHSQeLyeNS8Cp0JaOKlID3PSonVWMICfU2gqJzXkDnc=; b=lfpLRY3SklEKsulPPqgrZZdihAEV9pKaShOcCcMQX1995sDUXFULk200KqqRgNZgpMoDDqTvjGVwZ YAec+vDWgVU2CPLN4xf3P46v3WhvbTK9v0Kdh6kcmLnc/ou7fbZfq9xwFdHF1kRTS2awU3rWD6uWDJ eIgCTWSuORwtbcvjzIRR6e2Oagx6Y6Xu3wa64v/pBJxTQJRNWNHt8ixWsmnpyW/zqgVrd0/F7t0DA9 R9BGasvFssohErngZhkAX0wbGUCsu5GK1FD0qLROzV4tZ3PfRtLE4kJ8jzMYZXTrD1+rqNHS2UWdbq LjuTCKZvZHXX6LlNPN8KkR8LNdH/kqQ==
ARC-Authentication-Results: i=1; outbound4.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.52; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=pHSQeLyeNS8Cp0JaOKlID3PSonVWMICfU2gqJzXkDnc=; b=r5OCA89ZrhWIC32/ExHZQgKVv/kfT7ZELky39lRPrNo4a6569OPUknD+qaJPi+kjd4nbPe4nVXGKP 0Ybdj4knJXPBjICiayHpB1YCm14Dhp28tlUpDQo0ayb8zs7uw9QGnWuM+yTyM+WwsFeYXgFvkDsTX6 0PIMEwYvlqwXo1eU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=pHSQeLyeNS8Cp0JaOKlID3PSonVWMICfU2gqJzXkDnc=; b=Q9Cs6Kl5dUs4WFDg11WXm+UjaT4FpWf8W8RtpXwZJRaCh9Y6Rv+sFIo0EIOKFtVtf1QF7rlS8bhZv +J9tqGs9GVXW5k1a1wnw528pLxHK3TAmCzFpajZPcZRIydmeDXU1NE7O5Gm/t3gF+Ac2RftykWbmLl BE3JVsUmSHPTOOtfq/B1LtxS7gLLVLLmPnBkiqPIQ9L9Q6li/5AAQlQYXUrkpLfKXAt/4ks+R26dUN KCzrdvG5hv6fkOq4T5yTUbOFqi97TkLXg2AnlG+9/iPtbwFiA5tCpqug+EykjbG6YEpDPmpVJAQ2Im cetFdiAeVMcO5xqrsCKelI3FpaHQV0A==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 86ab6252-4fb1-11e9-befd-af03bedce89f
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.52
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f52.google.com (unknown [209.85.210.52]) by outbound4.ore.mailhop.org (Halon) with ESMTPSA id 86ab6252-4fb1-11e9-befd-af03bedce89f; Tue, 26 Mar 2019 10:25:50 +0000 (UTC)
Received: by mail-ot1-f52.google.com with SMTP id o74so10949756ota.3 for <doh@ietf.org>; Tue, 26 Mar 2019 03:25:50 -0700 (PDT)
X-Gm-Message-State: APjAAAXf9+De0Kv1SGkR1886IHYp4Smnfy7/NV7mR+zjVInsCweKJExY gPnaoN3VAIA2vzWbO+iXhtrR014X9MzG5/9lLAw=
X-Google-Smtp-Source: APXvYqyqS035On/3KAE9P8Gk8KbNKmoKCwX82wPVVvxZq4DLfbanMQyckvOPKmB4Sd9wJIeYKGrvKEkzldxnDj5dXZA=
X-Received: by 2002:a05:6830:109:: with SMTP id i9mr19237105otp.96.1553595949726; Tue, 26 Mar 2019 03:25:49 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net> <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com>
In-Reply-To: <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 26 Mar 2019 11:25:38 +0100
X-Gmail-Original-Message-ID: <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
Message-ID: <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b5414a0584fcbe86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/FTBg02nWvxlU5RwZR00VI7mJ-p8>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 10:25:56 -0000

On Tue, Mar 26, 2019 at 9:48 AM tirumal reddy <kondtir@gmail.com> wrote:

>
> Agreed, and with our proposal in
> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02,
> the query for URI templates can use FQDN instead of
> IP address, and the HTTPS server certificate can be validated by the DoH
> client.
>
>
right. The weakness here is that validating a name that probably comes from
an unauthenticated source is not a very strong signal. That seems inherent
in the draft, but maybe worth calling out more explicitly.

otoh - and out of scope for this draft - the DoH client could do some kind
of validation beyond the name.. like looking for a x509 attribute (and
cross signature) indicating some kind of better-business like endorsement
of privacy practices. So I think validation in the scope of
associated-resolver is a desirable property even though the usually
validated thing, the name, is a little less valuable here.

v2.23.0 | Report a Bug | By Email