Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Erik Nygren <erik+ietf@nygren.org> Tue, 26 March 2019 22:46 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC1731200FA for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 15:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VljnxSxXrlzs for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A5031200F8 for <doh@ietf.org>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
Received: by mail-wm1-f50.google.com with SMTP id z6so3447975wmi.0 for <doh@ietf.org>; Tue, 26 Mar 2019 15:46:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ojHqcbaHfbwuNOnhIDW2feSB+0oBGyCxWPTrZIBPyiw=; b=lt4v7YSATuoCSavQtWEMMp10n7paaqsInVWC5kMs2/u3LZHqj4WvcK0eS3S/WzrruG bqgwAS5IhdGoed1fvxv6845kdLNoi8GcA9pQF6ZRtOZLgzmQHN4GhqT/bJlfi/aseenN h4kA5FHh7KtX98Ukc5KNIY8ZZPTxDPUqQ3IGEz2QEwJ2OB7AUdr2llFTAFMmKWCDDdu4 q5BlCptl54K2ax51Uc44PMvNGFtlYiyPCZvxQQH4tRrC2TYPYfFbjNzOR8KPUQeFCnyA HSE/szxt1KMSlESLzlJB+pp3YznP8pgwsZe3gxf8lBP7hla+EnABe8zfV+u7cR3XozAG 7pJQ==
X-Gm-Message-State: APjAAAWWk7Br6EXy7+vlyFQ7eYZ5KMEy1nJV2xZHBe+HAepS8ZKUpUqX DMX5YOBCD/UCup0Kpatd1nv87InfmSBGE7oNC9o=
X-Google-Smtp-Source: APXvYqzrkvpHUIYjneqoIFV2HnetINDSU56JMVo8Agk47cqkMKM2i7jgK8zstzfwhKQ3FPUCk6v3XwpsAUnzrQfJSXQ=
X-Received: by 2002:a1c:98c9:: with SMTP id a192mr11455221wme.44.1553640398158; Tue, 26 Mar 2019 15:46:38 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net> <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com> <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
In-Reply-To: <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Tue, 26 Mar 2019 18:46:26 -0400
Message-ID: <CAKC-DJj9fEEKFp+wOdTahJGV7KP8SjARY+0ZCbvX7ZdbTtgT5Q@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: tirumal reddy <kondtir@gmail.com>, nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000a838605850718fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/OuAatpbhZAb6jYPHL1GdPBzVGRg>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 22:46:42 -0000
On Tue, Mar 26, 2019 at 6:26 AM Patrick McManus <mcmanus@ducksong.com> wrote: > > right. The weakness here is that validating a name that probably comes > from an unauthenticated source is not a very strong signal. That seems > inherent in the draft, but maybe worth calling out more explicitly. > Right. It typically comes from unauthenticated DHCP or RDNSS. One thought I've pondered is whether there is a way to apply policy to the hostname in the DoH template URL, as that is an authenticated hostname. For example, clients could validate against a blacklist of known-bad DoH server hostnames/domains. This may not scale well enough to be viable. But we are inherently getting unauthenticated data from an unauthenticated source. But that unauthenticated data is something which is possible to authenticate and possibly authorize based on the hostname. A similar model is done in Provisioning Domains where unauthenticated PvDs come from the network and are used to construct well-known URLs: https://tools.ietf.org/html/draft-ietf-intarea-provisioning-domains-04 How to make this practical is where I get stuck. :-) Erik
- [Doh] I-D Action: draft-ietf-doh-resolver-associa… internet-drafts
- [Doh] New version: draft-ietf-doh-resolver-associ… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Joseph Lorenzo Hall
- Re: [Doh] New version: draft-ietf-doh-resolver-as… nusenu
- Re: [Doh] [Ext] Re: New version: draft-ietf-doh-r… Paul Hoffman
- Re: [Doh] I-D Action: draft-ietf-doh-resolver-ass… Stephane Bortzmeyer
- Re: [Doh] [Ext] I-D Action: draft-ietf-doh-resolv… Paul Hoffman
- [Doh] Authentication in draft-ietf-doh-resolver-a… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Ralf Weber
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] Re: Authentication in draft-ietf-… Paul Hoffman
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Erik Nygren
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Erik Nygren
- Re: [Doh] [EXTERNAL] Re: Authentication in draft-… Winfield, Alister
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Thomas Peterson