Re: [Doh] draft-ietf-doh-resolver-associated-doh-02 comments
"Martin Thomson" <mt@lowentropy.net> Tue, 19 March 2019 23:43 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02874130F08 for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 16:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=JP2hxEdq; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=3gUXmJDq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGsmtrrxSmMi for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 16:42:59 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26FC5130DEF for <doh@ietf.org>; Tue, 19 Mar 2019 16:42:59 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 746FC22044 for <doh@ietf.org>; Tue, 19 Mar 2019 19:42:58 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Tue, 19 Mar 2019 19:42:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=D79ljYhP77GeqFqC6dKYf2tfV86Cd7E VWQr3yZdztUQ=; b=JP2hxEdqdjiRfuoZLspN9ms1GtTKF0YqXlsCeEXeQljbVDh hiHSwqXveAs128cdJyj8v5wS6tFWeh6xFqWyaxRhfUeAC/zp3demAj3z9VH0ShPt xUkpD6nWGvii+GP7+dSrwmGRVo7TQvocCAAecoAqT8OaUupcmJ6Uz+3Q9jAwARS4 9AGKzI8w7ODUImsr9n68Mli88KUczjtzklFknB50RT5zyBigndEZcIZg1NCZonpf APsaARF0ZMGZCgsXyyVypayUHKGtj/M7QE1TO7/vYqKzKZK3oyzb9QT5KrG4Kf2S rimTK90OBHwZjUWnvIvcsLfZbsRV55TuVOdMYCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=D79ljY hP77GeqFqC6dKYf2tfV86Cd7EVWQr3yZdztUQ=; b=3gUXmJDqp4SzEMjNaFyhWt FooXld5HK2u03lft8uRk/3j2eU+SCDJ3l0neHRu36GwP9wO4/3I8yvadBZDvqwC7 ZO7jji8UrEmewJQuIbg0IiOqrsThjUPSiAIsD/3hJUzSy3knqK8MDVu0nIKOwHGM Gt3h884lu34m/uMHmF8uBL8AdJn+YxaLvtQVMXvB0WuZy6+qKPvkjGztI+dHxwKz jmnw1VO0iDTR5cKFeFPkzb6lG3xm7M2F6lfdd/9vQ1tNSIRCaxggnZi4SPHEPNGA VyBCLbb2bjQyXr9sVh/c65tiBGBQTiqjulGITNH/hUdq9sxih7YsnpYBqx9Po0mw ==
X-ME-Sender: <xms:gX6RXCeR1jjs7sOf5dYShzkcH6vDnWa642rv1OIXAJ7oFx33VspMGg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrieehgddugecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehhthhtphgrnhgurhgvughirhgvtg htshdrhihouhdpughishhsrdguohhtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmthes lhhofigvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:gX6RXBXMF7Zqtnii3f6-f9OYfhWfMCY6S6KHafZBdlmRBbUTX1vsvQ> <xmx:gX6RXGeaqr9vjUXHeEV90aMLK4QtkJ_EVA_kiZwgA5z4s3qskfXXWw> <xmx:gX6RXF-QnL436SDVwe5ZrrhQDGRWsZjwH7MwDMiOljqBfFsdHmkyMA> <xmx:gn6RXCGL4RxcHd0rqHgR5K1n9CDXsPVb8t7eLlEt5z25mv_mP4rNqQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D544D7C63D; Tue, 19 Mar 2019 19:42:57 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-976-g376b1f3-fmstable-20190314v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <8657a914-dc1c-4f48-a2d7-01949da1604c@www.fastmail.com>
In-Reply-To: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
References: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
Date: Tue, 19 Mar 2019 19:42:59 -0400
From: Martin Thomson <mt@lowentropy.net>
To: doh@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LBvoc4u1mBpjZjTrwY2DCmAKdSA>
Subject: Re: [Doh] draft-ietf-doh-resolver-associated-doh-02 comments
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 23:43:01 -0000
On Wed, Mar 20, 2019, at 07:53, Stephen Farrell wrote: > - Section 2: what about OCSP? are we assuming that the OCSP > responder is resolved by the precursor system resolver or > the DoH resolver or both? I don't think it makes a security > difference (OCSP works or doesn't as usual), but it may be > a gotcha in terms of establishing the TLS session. Or, are > we assuming there's no point in OCSP for an IP-address > cert? (I forget;-) In capport we've made some recommendations about what can be done when you have limited network access. The situation isn't identical, but the guidance is the same: staple OCSP responses and provide all intermediates (i.e., don't send people chasing after AIA URLs that they can't resolve). > - Section 2: "the normal rules for HTTP" - does that mean > all re-directs MUST be HTTPS too? And can those URLs use > DNS names or must they be IP address certs too? There are no "normal rules" for HTTP and redirects. You have to explicitly say that redirects to unauthenticated resources are not permitted. > - Section 7, para 1: that's way too one-sided. DoH could > be less privacy-friendly (than say DoT) due to cookies and > whatnot. I think that it might pay to spend some time on this particular meme on a separate thread. My view is that while the opportunities exist, a lot of the concern here comes more from this being different and new and less from real provable problems. For instance, both parties have to work pretty hard to get cookies. Even in the contexts where you think that you might not have to (like a browser). > - Section 8: Why diss. DoT? It's not a competition:-) I agree. It is, but it's our responsibility to rise above that.
- [Doh] draft-ietf-doh-resolver-associated-doh-02 c… Stephen Farrell
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Paul Hoffman
- Re: [Doh] draft-ietf-doh-resolver-associated-doh-… Martin Thomson
- Re: [Doh] draft-ietf-doh-resolver-associated-doh-… Stephen Farrell
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Stephen Farrell
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Martin Thomson
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Patrick McManus