Re: [Doh] [Ext] Associating a DoH server with a resolver

Adam Roach <> Thu, 25 October 2018 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6EF49130DD3 for <>; Thu, 25 Oct 2018 08:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6wYlWJoQaaRW for <>; Thu, 25 Oct 2018 08:35:32 -0700 (PDT)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 693C6130E76 for <>; Thu, 25 Oct 2018 08:35:32 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id w9PFZAoL056407 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 25 Oct 2018 10:35:11 -0500 (CDT) (envelope-from
X-Authentication-Warning: Host [] claimed to be
To: Paul Hoffman <>, Ben Schwartz <>
Cc: DoH WG <>
References: <> <> <>
From: Adam Roach <>
Message-ID: <>
Date: Thu, 25 Oct 2018 10:35:05 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [Doh] [Ext] Associating a DoH server with a resolver
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Oct 2018 15:35:33 -0000

On 10/25/18 9:57 AM, Paul Hoffman wrote:
>> Other minor comments:
>> On Section 4, User Interface: I don't see the need for a user interface here.  In my view, opportunistic security generally shouldn't require user action and shouldn't produce a user-visible change.
> Browser vendors might prefer that, privacy-concerned users might want a UI. I guess I'm targeting the latter.

You cast this as a matter of user agency, while the analysis that's been 
done in this space has concluded that these kinds of indicators for 
opportunistic security are quite hostile to user interests.

It's hard to convey the subtlety of "you might be talking to the wrong 
thing, and there might be undetectable on-path attackers reading and 
modifying your data, but at least passive attackers can't see what's 
going on." And users who overestimate the level of protection implied by 
security indicia run a high risk of behaving in a way that does not suit 
their interests.