IETF Logo Mail Archive

Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

tirumal reddy <kondtir@gmail.com> Tue, 26 March 2019 11:11 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 421C41202F0 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:11:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnZoif9I0w3L for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 04:10:58 -0700 (PDT)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 911561202F8 for <doh@ietf.org>; Tue, 26 Mar 2019 04:10:57 -0700 (PDT)
Received: by mail-it1-x132.google.com with SMTP id w18so18831346itj.4 for <doh@ietf.org>; Tue, 26 Mar 2019 04:10:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=w1DDhQIObyBulQVQX0GcVoizhaar0yzuo6pU0lgYccI=; b=cKgGbdE/9Ec3p3yd/YgIA5QcVxsHuWYlJW3CfLxPrnnaNfakO1gGF/OqsJhpHBmMVU ZntW1ugO57fmKqSqTNBUyMobH/IKfqnksMNiWXuTMEW6l9gdcxABz50QiM5vqxqcZRbu ctzgW+rtkxqn1S/JHJxyUqboq58ZzeIrU5lPb1SRVW2+/QQNODHP0/wDGdqHq54uKABT 8VacX75eNTtaUONf8140hB7L+pDGRw9yash73B699mZM83oOwjJTn/c6HCbsJm7imTOQ hdHdvCFfrfz3oGiPR19QQhtPC/gqMHSz4/tIbI90RfjGKOb4FN/QTARFqLLg6neJnMal TzbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=w1DDhQIObyBulQVQX0GcVoizhaar0yzuo6pU0lgYccI=; b=EKqhP9Qxd5C1B5GwEs84ZoF+pZNX+D0mU2Bf3PpVpu4SqDejrkYp232sdYeRyvYX6K tWYk8JxkXXbl94NUxP80lvSlB/AKjGPtHtbgJmMzgnswoURL4M14Y1iZ2V1qZOB2C/Sl JQPhOI/+3mmiHhNEuS+L5mMHa5VJYjlXJZjtDyICU3kFQe0d3kYdbUr+GB+fPjslv1Lr 78VsgjoVbgISZcXJ7AtoWu/yzk5N4RTsZKa6zNAObwFK0HqrfkZuGqi029y5pBk/etsP yH49dQImotE1qfphModnlVAFUrd8P6Cjh+a3jyKxnjPatLQQNMNHd7OE7gN3iLpKaBdc 5AEw==
X-Gm-Message-State: APjAAAUHYY3t71LhpFi7FOGodYlNRwolDvdAdiHNIsMtWS4P8kTsldpZ w0bYJkjmj4gtyJaT42pC1/oWkIenvIaUjbQkPtw=
X-Google-Smtp-Source: APXvYqw7SpoGMQeP8BpIrDMxR/iqeEKcHz3cmh2wVGImGgWy8DZrSrQNT/DeCkn+Nyi6uxkIMMmLYeHziZQ/TtKFVxQ=
X-Received: by 2002:a24:6a8b:: with SMTP id l133mr8375924itc.92.1553598656822; Tue, 26 Mar 2019 04:10:56 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net> <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com> <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com> <CAFpG3ge3D+trHPTvXGARgmyrCsxeFbQhSX--nUdT9-5t0xN7Tg@mail.gmail.com> <CAOdDvNp=K6Z6fjXeog9rbx-rFa3spdpaw4iojDweY+R45y==Sg@mail.gmail.com>
In-Reply-To: <CAOdDvNp=K6Z6fjXeog9rbx-rFa3spdpaw4iojDweY+R45y==Sg@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 26 Mar 2019 12:10:46 +0100
Message-ID: <CAFpG3gcJ1BCMrcffTFYMf+9Q+X8rP5=UT72_uVzv=0Xtb-0-xQ@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000010409a0584fd6067"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/Sl9x4A2pi3DRMWK6wnNbsjnMR4o>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 11:11:09 -0000

No worries. My point is client must be configured with a explicit trust
store to validate the local DoH server certificate.
The network domain name can be retrieved from the explicit trust store
itself.

-Tiru

On Tue, 26 Mar 2019 at 12:02, Patrick McManus <mcmanus@ducksong.com> wrote:

> I'm sorry - I quoted your draft name when I was referring to Paul's.
>
> On Tue, Mar 26, 2019 at 11:46 AM tirumal reddy <kondtir@gmail.com> wrote:
>
>> On Tue, 26 Mar 2019 at 11:25, Patrick McManus <mcmanus@ducksong.com>
>> wrote:
>>
>>>
>>>
>>> On Tue, Mar 26, 2019 at 9:48 AM tirumal reddy <kondtir@gmail.com> wrote:
>>>
>>>>
>>>> Agreed, and with our proposal in
>>>> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02,
>>>> the query for URI templates can use FQDN instead of
>>>> IP address, and the HTTPS server certificate can be validated by the
>>>> DoH client.
>>>>
>>>>
>>> right. The weakness here is that validating a name that probably comes
>>> from an unauthenticated source is not a very strong signal.
>>>
>>
>> No, the name is coming from a authenticated source. The explicit trust
>> store to validate the local DoH server certificate can also be used to
>> validate the S-NAPTR lookup
>> response is authentic using DNSSEC.
>>
>>
>>> That seems inherent in the draft, but maybe worth calling out more
>>> explicitly.
>>>
>>> otoh - and out of scope for this draft - the DoH client could do some
>>> kind of validation beyond the name.. like looking for a x509 attribute (and
>>> cross signature) indicating some kind of better-business like endorsement
>>> of privacy practices.
>>>
>>
>> The draft discusses a privacy certificate extension that helps the
>> endpoint
>> identify the privacy preserving data policy of the DNS
>> server. The extension contains a URL that points to the privacy
>> preserving data policy.
>>
>>
>>
>>> So I think validation in the scope of associated-resolver is a desirable
>>> property even though the usually validated thing, the name, is a little
>>> less valuable here.
>>>
>>
>> The name is a reference identifier for validating the local DoH server
>> certificate.
>>
>> Cheers,
>> -Tiru
>>
>>
>>>
>>>
>>>
>>

v2.23.0 | Report a Bug | By Email