Re: [Doh] draft-ietf-doh-resolver-associated-doh-02 comments
"Martin Thomson" <mt@lowentropy.net> Tue, 19 March 2019 23:43 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 02874130F08
for <doh@ietfa.amsl.com>; Tue, 19 Mar 2019 16:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=lowentropy.net header.b=JP2hxEdq;
dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=3gUXmJDq
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id PGsmtrrxSmMi for <doh@ietfa.amsl.com>;
Tue, 19 Mar 2019 16:42:59 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
[66.111.4.26])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 26FC5130DEF
for <doh@ietf.org>; Tue, 19 Mar 2019 16:42:59 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
by mailout.nyi.internal (Postfix) with ESMTP id 746FC22044
for <doh@ietf.org>; Tue, 19 Mar 2019 19:42:58 -0400 (EDT)
Received: from imap2 ([10.202.2.52])
by compute1.internal (MEProxy); Tue, 19 Mar 2019 19:42:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net;
h=mime-version:message-id:in-reply-to:references:date:from:to
:subject:content-type; s=fm1; bh=D79ljYhP77GeqFqC6dKYf2tfV86Cd7E
VWQr3yZdztUQ=; b=JP2hxEdqdjiRfuoZLspN9ms1GtTKF0YqXlsCeEXeQljbVDh
hiHSwqXveAs128cdJyj8v5wS6tFWeh6xFqWyaxRhfUeAC/zp3demAj3z9VH0ShPt
xUkpD6nWGvii+GP7+dSrwmGRVo7TQvocCAAecoAqT8OaUupcmJ6Uz+3Q9jAwARS4
9AGKzI8w7ODUImsr9n68Mli88KUczjtzklFknB50RT5zyBigndEZcIZg1NCZonpf
APsaARF0ZMGZCgsXyyVypayUHKGtj/M7QE1TO7/vYqKzKZK3oyzb9QT5KrG4Kf2S
rimTK90OBHwZjUWnvIvcsLfZbsRV55TuVOdMYCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=content-type:date:from:in-reply-to
:message-id:mime-version:references:subject:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=D79ljY
hP77GeqFqC6dKYf2tfV86Cd7EVWQr3yZdztUQ=; b=3gUXmJDqp4SzEMjNaFyhWt
FooXld5HK2u03lft8uRk/3j2eU+SCDJ3l0neHRu36GwP9wO4/3I8yvadBZDvqwC7
ZO7jji8UrEmewJQuIbg0IiOqrsThjUPSiAIsD/3hJUzSy3knqK8MDVu0nIKOwHGM
Gt3h884lu34m/uMHmF8uBL8AdJn+YxaLvtQVMXvB0WuZy6+qKPvkjGztI+dHxwKz
jmnw1VO0iDTR5cKFeFPkzb6lG3xm7M2F6lfdd/9vQ1tNSIRCaxggnZi4SPHEPNGA
VyBCLbb2bjQyXr9sVh/c65tiBGBQTiqjulGITNH/hUdq9sxih7YsnpYBqx9Po0mw
==
X-ME-Sender: <xms:gX6RXCeR1jjs7sOf5dYShzkcH6vDnWa642rv1OIXAJ7oFx33VspMGg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrieehgddugecutefuodetggdotefrodftvf
curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu
uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre
dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif
vghnthhrohhphidrnhgvtheqnecuffhomhgrihhnpehhthhtphgrnhgurhgvughirhgvtg
htshdrhihouhdpughishhsrdguohhtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmthes
lhhofigvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:gX6RXBXMF7Zqtnii3f6-f9OYfhWfMCY6S6KHafZBdlmRBbUTX1vsvQ>
<xmx:gX6RXGeaqr9vjUXHeEV90aMLK4QtkJ_EVA_kiZwgA5z4s3qskfXXWw>
<xmx:gX6RXF-QnL436SDVwe5ZrrhQDGRWsZjwH7MwDMiOljqBfFsdHmkyMA>
<xmx:gn6RXCGL4RxcHd0rqHgR5K1n9CDXsPVb8t7eLlEt5z25mv_mP4rNqQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
id D544D7C63D; Tue, 19 Mar 2019 19:42:57 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-976-g376b1f3-fmstable-20190314v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <8657a914-dc1c-4f48-a2d7-01949da1604c@www.fastmail.com>
In-Reply-To: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
References: <6980a503-bbe2-ffa1-351e-0d2005221bf2@cs.tcd.ie>
Date: Tue, 19 Mar 2019 19:42:59 -0400
From: "Martin Thomson" <mt@lowentropy.net>
To: doh@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LBvoc4u1mBpjZjTrwY2DCmAKdSA>
Subject: Re: [Doh] draft-ietf-doh-resolver-associated-doh-02 comments
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>,
<mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>,
<mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 23:43:01 -0000
On Wed, Mar 20, 2019, at 07:53, Stephen Farrell wrote: > - Section 2: what about OCSP? are we assuming that the OCSP > responder is resolved by the precursor system resolver or > the DoH resolver or both? I don't think it makes a security > difference (OCSP works or doesn't as usual), but it may be > a gotcha in terms of establishing the TLS session. Or, are > we assuming there's no point in OCSP for an IP-address > cert? (I forget;-) In capport we've made some recommendations about what can be done when you have limited network access. The situation isn't identical, but the guidance is the same: staple OCSP responses and provide all intermediates (i.e., don't send people chasing after AIA URLs that they can't resolve). > - Section 2: "the normal rules for HTTP" - does that mean > all re-directs MUST be HTTPS too? And can those URLs use > DNS names or must they be IP address certs too? There are no "normal rules" for HTTP and redirects. You have to explicitly say that redirects to unauthenticated resources are not permitted. > - Section 7, para 1: that's way too one-sided. DoH could > be less privacy-friendly (than say DoT) due to cookies and > whatnot. I think that it might pay to spend some time on this particular meme on a separate thread. My view is that while the opportunities exist, a lot of the concern here comes more from this being different and new and less from real provable problems. For instance, both parties have to work pretty hard to get cookies. Even in the contexts where you think that you might not have to (like a browser). > - Section 8: Why diss. DoT? It's not a competition:-) I agree. It is, but it's our responsibility to rise above that.
- [Doh] draft-ietf-doh-resolver-associated-doh-02 c… Stephen Farrell
- Re: [Doh] draft-ietf-doh-resolver-associated-doh-… Martin Thomson
- Re: [Doh] draft-ietf-doh-resolver-associated-doh-… Stephen Farrell
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Paul Hoffman
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Stephen Farrell
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Martin Thomson
- Re: [Doh] [Ext] draft-ietf-doh-resolver-associate… Patrick McManus