Re: [Doh] ..I don't get it (the hate)

Ted Lemon <> Tue, 26 March 2019 12:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1C8A212030D for <>; Tue, 26 Mar 2019 05:56:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TafAuozO61Ww for <>; Tue, 26 Mar 2019 05:56:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 91CC2120283 for <>; Tue, 26 Mar 2019 05:56:49 -0700 (PDT)
Received: by with SMTP id w1so14264148wrp.2 for <>; Tue, 26 Mar 2019 05:56:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=XujDJJv0vlmYLmvG7UzpTdBCegCG6OuSIp7KOjIjLEA=; b=Yz4sV6elJrn5TqLodAqTO1vNZ2qU/13JpKMIu7mjBBVvGZthIHeheuFWHCQ9xb7h// 7UcIJdNPTIaUbsPrhPhExhcdHhMvu09M5n7LqYpy18JBciC3tvcfBTYXmrQrjD1nHSUP IVqn7vWcPoA6jijDISWUGfG548veyNsbPiJBIcUz3+EYl0Q6Ns2/QV4CidHqHv13T5MP 4pB6Cg4QkQlxKGy58SpAlYpAsaAkdlZG077qy3AnG3QpqKrP9kWbgmWSZVVbWkaWiOZC 6znJYYUD8qoy/3/vF/Xn5qJHRcHv2P6xoxpYZghW+b7DSeY3y3tDOrB4OeGsMzbLO8SD 9rVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=XujDJJv0vlmYLmvG7UzpTdBCegCG6OuSIp7KOjIjLEA=; b=mFBnSJA3f0WDtbIBWtswKosWsC0Agqm+BypbhfscglO6ETOX/xucDGQ5uSS3aYDHxz Inxcu19qyjrYCPXiuqQBn1iXeN+ETt02C2k8CfbKDlVdqmDS/Z6hHAub2gEtOeYMPogt cDDay64X9OadG3zSfpjmgi6pR+wPR7Rn3jqY9knY5SUZL9igi3tOkkfORhCqhmYcCiFy MUTDO1mDEADgCLTspDmGz44QtwN8PCaDR6rk/rlPABgdwGZdYL9bBICp2GsAgDxTiMxU x11NRLFd8rF549ohfr0P4C4j5TxqLrHJKeQ2s4NQE5uAnUR0iwAOaXh5E68UMdFVurVZ BXQg==
X-Gm-Message-State: APjAAAUgYUvxUyCcEU92MQmg3VzxYe4Uk+ml6+6gewUkLPLokAF2+2BS WIec9YY+iKnb16b+dZkRm1bgIdLAs0PAQjao
X-Google-Smtp-Source: APXvYqyisLtcK7hFBPscgz/JPmO4OlrSxNy4CLmMckDjQ8SzKZ3ebI7P86zLAUjEIGZT89fE7hs5zQ==
X-Received: by 2002:adf:f04e:: with SMTP id t14mr19971087wro.263.1553605007951; Tue, 26 Mar 2019 05:56:47 -0700 (PDT)
Received: from ( []) by with ESMTPSA id j11sm23418737wrw.85.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 05:56:47 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C12D446E-95FA-41C0-A2A6-C0BBD9FBE486"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
Date: Tue, 26 Mar 2019 13:56:45 +0100
In-Reply-To: <>
Cc: George Michaelson <>, DoH WG <>
To: Joe Abley <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <>
Subject: Re: [Doh] ..I don't get it (the hate)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Mar 2019 12:56:54 -0000

I think it’s a correct observation that the majority of end-users are not qualified to make security policy decisions at a fine-grained level.   It’s also the case that frequently end-users do not have the opportunity to make choices that they would make if they were available (e.g., Facebook, but without all the privacy violations).   But I think that’s not the right taxonomy.

I think the actual split is between devices that have to have on-device security policy enforcement, and devices that can’t.   My iPhone is roaming to networks with different policies all the time.   No matter how well-intentioned, the security policy of a particular network cannot protect my iPhone, because my iPhone talks to other networks.

So for devices like iPhones, a network-enforced security policy can only really cause harm: any good that it could have caused is voided by the fact that the network isn’t always there to protect it.

This is okay, because when I chose my iPhone, one of the reasons I chose it was that another entity would enforce a security policy on it that protects it from attack: the manufacturer, in this case Apple.   Apple has made a very deliberate decision to secure the iPhone in such a way that I can, with reasonable although not perfect confidence, trust that it will not be hacked by the network to which it connects.

On the other hand, my WeMo is wide open.   It doesn’t have any real security.   I’m sure we all know of examples of devices for which this is true.   Such devices tend not to move from network to network, and tend not to be seriously hardened against attack.

In order to protect my WeMo from attack, I need the network to strictly control what it communicates with.   This can to some degree be approximated by controlling DNS resolution.  But to be sure that it is controlled, the network also needs to do IP address filtering, and that filter needs to be controlled somehow.

As Eliot has demonstrated, it is possible to use DNS to control the hosts to which a host connects through a firewall, but it’s expensive, and it only works through the firewall.   That’s why we approximate this using DNS.

But if what we care about is controlling what hosts my iPhone connects to using DNS, the DNS resolver the iPhone uses has to be configured on the iPhone, and the connection to it has to be secure.   Controlling it at the network egress simply doesn’t solve that problem.

So when we are thinking about this problem, I think it’s important to be really clear about exactly what problem we are thinking about, and not confuse these two very different use cases and the very different control planes they require to address them.

> On Mar 26, 2019, at 12:31 PM, Joe Abley <> wrote:
> On Mar 26, 2019, at 12:15, George Michaelson <> wrote:
>> This is (surely) between me, the browser vendor, and the website? Why
>> does the ISP have any say in this?
> The ISP (or equivalent actor) has the opportunity to have a say today.
> Some deployment models would take this opportunity away.
> I don't believe the concern is for sophisticated users who can make
> informed choices. I can use a tor browser right now that also defeats
> the ISP's opportunity to participate in the resolution process. That's
> not controversial.
> The contentious aspect is, I think, the potential for a majority of
> end-users who are not sophisticated and hence are unable to make
> informed decisions to have this behaviour changed for them.
> It's not the existence of the mechanism, it's the potential scale of
> the deployment.
> Joe
> _______________________________________________
> Doh mailing list