Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients

Michael Sinatra <michael@brokendns.net> Thu, 14 March 2019 00:07 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C23F124B16; Wed, 13 Mar 2019 17:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DjK2HCbFvNS; Wed, 13 Mar 2019 17:07:47 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 050311277E2; Wed, 13 Mar 2019 17:07:46 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [IPv6:2607:f2f8:a544:0:0:0:0:2]) by burnttofu.net (8.15.2/8.15.2) with ESMTPS id x2E07Rhw067042 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 20:07:29 -0400 (EDT) (envelope-from michael@brokendns.net)
Received: from kimberton.burnttofu.net (127.146.25.136.in-addr.arpa [136.25.146.127]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id A645765B1E; Wed, 13 Mar 2019 17:07:28 -0700 (PDT)
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Brian Dickson <brian.peter.dickson@gmail.com>, Christian Huitema <huitema@huitema.net>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "Livingood, Jason" <Jason_Livingood@comcast.com>, "doh@ietf.org" <doh@ietf.org>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <CABcZeBOWM0Ps-j3V-CK6VPy0LAqeo7-t7odUZy+dk9d-oCSDsg@mail.gmail.com> <4935758.NkxX2Kjbm0@linux-9daj> <c2c2be47-0855-a9d1-dd53-2404edf4d02b@huitema.net> <807193999.19916.1552445819087@appsuite.open-xchange.com> <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> <C72A7196-98CF-40DC-84C7-DA95BADD24B8@cable.comcast.com> <b52e7891-da9f-6972-fc42-bf3aeea0a10f@huitema.net> <CAH1iCioc7xbMRnfzukFNK+RE7ScFru8xEk32F=XbR0Mo+E371w@mail.gmail.com> <e1d74ebd-0a63-700f-f032-faaeeef73993@cs.tcd.ie>
From: Michael Sinatra <michael@brokendns.net>
Message-ID: <ee21337b-65dc-7e81-2f2c-c1a7dec9440f@brokendns.net>
Date: Wed, 13 Mar 2019 17:07:24 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <e1d74ebd-0a63-700f-f032-faaeeef73993@cs.tcd.ie>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.6.2 (burnttofu.net [IPv6:2607:fc50:1:9d00:0:0:0:9977]); Wed, 13 Mar 2019 20:07:31 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/ZY-IQ4nvwbcXwe0D7dq46hZAL1M>
Subject: Re: [Doh] [dns-privacy] [DNSOP] New: draft-bertola-bcp-doh-clients
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 00:07:50 -0000

On 3/13/19 1:43 PM, Stephen Farrell wrote:
> 
> (dropping dprive list at WG chair request)
> 
> Hiya,
> 
> On 13/03/2019 20:29, Brian Dickson wrote:
>> The starting place for the conversation needs to acknowledge this, and
>> accommodate it. It is entirely possible that a DoH client that doesn't do a
>> minimum level of getting user acknowledgement before violating policies,
>> laws, or contracts, might itself be illegal in some jurisdictions
>> (jurisdictions that could include some US states, some western countries,
>> some larger entities like EU, etc.).
> 
> I almost agreed with you that people need to ack others'
> priorities. But the above means I can't agree with your
> mail as "might be illegal" is vastly overstated, there
> being no relevant difference between DoT and DoH clients
> in this respect. 

I believe that the issue of protocol obfuscation that I mentioned
earlier in the draft-reid-doh-operator thread[1] is a relevant difference.

There is another technical issue, and that surrounds the question of who
is the user and what capabilities does the user have to manage their
devices.  This has been touched upon with the discussion on opt-in vs.
default and with Paul's discussion of data exfiltration.

In my home, I have an "Internet-capable" washing machine.  Of course my
"smart" TV wants to be on the Internet.  My Foobot *must* be on the
Internet just so I can monitor the air quality in my own home.  I don't
want the washer on the Internet at all, and for some of the other
devices, I want to control what they do on my home network.  With
embedded and "IoT" devices, there may be limitations on how I--as the
user--can control them.  There may be hard-coded defaults that are
difficult to change (and yet have a way of easily resetting themselves
to "factory default").  Leaving aside for now the issue of licensing
Ts&Cs, I--as the user--may want to have more *technical* control over
the devices than their vendor is willing to give me.  One way I can
assert that control is via the network.  On my home network, I am one of
the users and I am also the network admin.  I want to assert control
over the devices for which *I* am the user, but the people who designed
them didn't give them sufficient knobs for me to do this on the device.

Another word for software which does things on the network outside of
the user's control is "malware," whether it is legitimate or not, and I
realize it predates DoH.  But DoH legitimizes protocol obfuscation at
the network layer and makes it potentially harder for me to control the
devices for which I am the user.  So if the goal is to give users more
control, I'd assert that DoH, at best, works both ways.

michael

[1] https://mailarchive.ietf.org/arch/msg/dnsop/Qole4yY0q_-psyrvWabaRAD8_Vc