IETF Logo Mail Archive

Re: [Doh] New Privacy Considerations Section Proposal

"Hewitt, Rory" <rhewitt@akamai.com> Thu, 21 June 2018 00:02 UTC

Return-Path: <rhewitt@akamai.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C940E130F35 for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 17:02:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIsSazpCleLK for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 17:02:49 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8942130F25 for <doh@ietf.org>; Wed, 20 Jun 2018 17:02:46 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w5L02TJD032262 for <doh@ietf.org>; Thu, 21 Jun 2018 01:02:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=YOm8rkNvO8adEKS9TKKjixaGkG2Rs6UOBbpF4ZZdpgw=; b=b+ER2S4i5TE23t8ZEpZlkTa8x/EShLfjP1wkkgbptvGEHPRDf5exvXa2xr2LehhgxQ5n s75qxPjENU+V56f0CJkc3bvBJkAdwmA3CjrtRSv4gDNkswiozWbLCImSXdkZuLnV8oRU JOWh3LPulovvpEKl84daUpiT6ipIsTQR4/bw/zBCE6xjjy0T7Mc9CRA6Ve+OPUthtV2k +usr48xFOHg6RB2xrwWUA5CxKG4Km3Mr0g/jCkcKatV9Y8q5Gr+tzK7tWs5RrV4U1L9B RveFtNKBgtS0emdvnfgRY8Kc96Ce8XwHwAOoZiD6dpDtCfHSSE0wm7TnGtzeMdgjXx5Z zg==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2jqdg8auds-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <doh@ietf.org>; Thu, 21 Jun 2018 01:02:45 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w5L01FEs003459 for <doh@ietf.org>; Wed, 20 Jun 2018 20:02:45 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint3.akamai.com with ESMTP id 2jmwwcbbj2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <doh@ietf.org>; Wed, 20 Jun 2018 20:02:44 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 20 Jun 2018 20:02:43 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1365.000; Wed, 20 Jun 2018 20:02:42 -0400
From: "Hewitt, Rory" <rhewitt@akamai.com>
To: DoH WG <doh@ietf.org>
Thread-Topic: [Doh] New Privacy Considerations Section Proposal
Thread-Index: AQHUCOLizcet6foASEaLXJ/0XvgPYqRp+VuAgAANqoCAAA5TgP//vcdg
Date: Thu, 21 Jun 2018 00:02:42 +0000
Message-ID: <ac626369fed64ddeb426c62af75d9f8a@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com> <CA+9kkMDt03Uv6UvtZw=mvo=+6dprGqUDMkC7Ef6bd=kb6vX_Fg@mail.gmail.com> <CAOdDvNrjZu-q63DUhNjf7fYjNux2ewv4DTZkGPvFRrGfBBJFMA@mail.gmail.com> <c67dc5cb-f6a5-4352-da59-71c4bb9ff98b@nostrum.com>
In-Reply-To: <c67dc5cb-f6a5-4352-da59-71c4bb9ff98b@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.117.211]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0087_01D408B8.7FD3D220"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-20_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806200258
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-20_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806200258
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/JwY9XD4dsEs0t7OcVs3J1ByyzPU>
Subject: Re: [Doh] New Privacy Considerations Section Proposal
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 00:03:02 -0000

I like Patrick's proposed wording along the lines of "...should use the 
minimal set of data that can achieve the desired feature set.", but I also 
like Ted's more explicit suggestion.



Perhaps this combination?:



"DoH clients should use the minimal set of data (e.g. headers, cookies) that 
can achieve the desired feature set whilst minimizing potentially identifying 
information being passed."



Just my $0.02...



Thanks,



Rory



From: Adam Roach [mailto:adam@nostrum.com]
Sent: Wednesday, June 20, 2018 4:55 PM
To: Patrick McManus <pmcmanus@mozilla.com>; Ted Hardie <ted.ietf@gmail.com>
Cc: DoH WG <doh@ietf.org>
Subject: Re: [Doh] New Privacy Considerations Section Proposal



[as an individual]

I agree with Patrick's analysis here, and think the proposed text (plus the 
"minimal set of data" statement below) is likely to serve the purpose well. In 
particular, I agree with Patrick that the various features that have been 
cited so far each serve a useful purpose, and that such purposes may have a 
place in DoH deployments. Giving implementors a heads up about the privacy 
trade-offs seems appropriate. Mandating (MUST or SHOULD) that DoH runs over a 
minimal profile of HTTP seems to remove several of the advantages of using 
HTTP at all.

/a

On 6/20/18 6:03 PM, Patrick McManus wrote:





On Wed, Jun 20, 2018 at 6:14 PM, Ted Hardie <ted.ietf@gmail.com 
<mailto:ted.ietf@gmail.com> > wrote:

Repeating the comment I made at Github:



Is there a reason not to make a recommendation for the case of a DOH-only 
service?  The current text says:

Implementations of DoH clients and servers need to consider the benefit
and privacy impact of all these features, and their deployment context,
when deciding whether or not to enable them.

Would you consider a recommendation like "For DOH clients which do not 
intermingle DOH requests with other HTTP suppression of these headers and 
other potentially identifying headers is an appropriate data minimization 
strategy."?





there are some practical problems there. Big picture you need to weigh the 
reasons these things get used in your implementation decisions. Its not like 
TLS didn't know they had built a tracker with session tickets, yet dprive 
recommended its use anyhow :)



every http feature has a reason an implementation might want want it in doh. 
cookies can do useful things for auth. new compression algorithms (which 
create a fingerprint on introduction just as surely as UA does) enable better 
performance. etc.. UA strings have kept the web runinng, for good and bad, 
across many unanticipated bugs for many years.. I'm not saying those arguments 
win the day but its not really DoH's place to change the properties of HTTP. 
Alt-Service provides great load balancing and protocol evolution, but its 
basically a cache with a tracking implication too.



It is an important goal of this work to leverage the HTTP ecosystem - 
stripping out all the HTTP parts and leaving a tunnel doesn't give it any 
value.



The picture is also complicated by the end to end message semantics of http 
headers and how they interact with the hop to hop transport semantics of the 
client or server. i.e. the notion of intermingle is not e2e, but headers are. 
That's not really a driver, but something to keep in mind when considering the 
limitations of text.



I'm more inclined in general to use words along the lines of "should use the 
minimal set of data that can achieve the desired feature set." if that's 
helpful, but I'm not eager to start working through individual design 
decisions.










_______________________________________________
Doh mailing list
Doh@ietf.org <mailto:Doh@ietf.org>
https://www.ietf.org/mailman/listinfo/doh 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_doh&d=DwMDaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=h4goE6gK_ZaRrvwi4Hglaq0NyaBCb3I3XALyazxKb6w&m=7boz0IZ1KBlcynrJRZvHUlL6gh1y4uzb-x87ZvAPKpg&s=avFqKXoSyMVxMlVyRiyAICtyhhiq6eXCDBvftWeYx14&e=>

v2.23.0 | Report a Bug | By Email