Re: [Doh] New Version Notification for draft-dickinson-doh-dohpe-00.txt
Ben Schwartz <bemasc@google.com> Thu, 19 July 2018 15:39 UTC
Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 908B8130ED9 for <doh@ietfa.amsl.com>; Thu, 19 Jul 2018 08:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqRPGuPdKToN for <doh@ietfa.amsl.com>; Thu, 19 Jul 2018 08:39:17 -0700 (PDT)
Received: from mail-io0-x244.google.com (mail-io0-x244.google.com [IPv6:2607:f8b0:4001:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C56C5130EAB for <doh@ietf.org>; Thu, 19 Jul 2018 08:39:16 -0700 (PDT)
Received: by mail-io0-x244.google.com with SMTP id o22-v6so6370565ioh.6 for <doh@ietf.org>; Thu, 19 Jul 2018 08:39:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CYXSHeFnOZLUX/xbDTSR7N5iFtmyb1rODLGeJXquVRE=; b=q5JeZ3uWSeslyWxou9/VxxcuqPuWyTpPb0ZeOM+WnhtCvyMmJn7MPBCcdZXXq0wo5M e3kp9a6Cl9oMpoDZz60GQOzZP7d+JIzjp5TV4xhRLVd79yQIkgpxxCpa21pXBSggZS+t 1r9IGSy7kCbgP0jCTkKUdNjeOBYb7CnMl+3XukTyCnHvo4BuLWhFOaB1B7Vi02CAPd5m 3adtvdWpCRZauPe2p1IFrW0puXVBYwYPQMh/SUsyTj1EZM2fy9MPd0FcEW2XEVlqktc8 y5Vox2QY+10ehvAMMPKWqxBJeT1HOf64hXWwfxuk350vjhdsRgs6PJjTvtj/Z5fGFyGZ 9dew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CYXSHeFnOZLUX/xbDTSR7N5iFtmyb1rODLGeJXquVRE=; b=WscpHEJls6X7i6ZmxkMwnyyDURndQQVNMG9yYcQOLK1Bo/Zex2mMH3RssWttSySgnS 69h5edd74Q32/idJqiK7McLn88RvwT0dlNLoM1+PZe/Dl+6p0oWR82i1fn0Ev5YZgR/j PjRiZd8s2TbAS8shVuAE/c18qe03jG+KK5kR2nkdM5pFOrHgOgdaJM4JV7Xlja8HFfMv 7sALbjxOhFrLmEzdHZNo3cPrPbwMsEPN8flgaWXFRfuDQ1CTEbl6m5hjM6TVPDmze23p aehTI5OIIPmdcRI8Z5YPujXwcYiSD4O+oMmjyrwmPIk64B/iH8bB2ONZC0oSsw9UcjgR SGDQ==
X-Gm-Message-State: AOUpUlHSjpouSUqMkOt6yE4nYa3qlldfmNRHasBsTbLKlamci/ynIsxo xteJUS9favOsAZBPer+HCWP04iKP7qFR2AwssExhPTwUsdo=
X-Google-Smtp-Source: AA+uWPxvtntwI5Spcb1YMDJG5CHq9IWSnYHoeaXQmmzk//+41amJkOotH1GadgcvkDP29fbFjhBCKjvc+bgh3+6syQ0=
X-Received: by 2002:a5e:8b4c:: with SMTP id z12-v6mr8508601iom.230.1532014755504; Thu, 19 Jul 2018 08:39:15 -0700 (PDT)
MIME-Version: 1.0
References: <153192232867.2882.433616342941784102.idtracker@ietfa.amsl.com> <F3B9C552-D38B-48E2-B592-E817ECFD6DF4@sinodun.com> <CAHbrMsDc1TV=HHmzPWqkd5-i6ObuMD6gGXD_NkL_m3cgvN37EA@mail.gmail.com> <81486098-95E9-49BE-9C04-F0EBEC2A2085@sinodun.com>
In-Reply-To: <81486098-95E9-49BE-9C04-F0EBEC2A2085@sinodun.com>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 19 Jul 2018 11:39:03 -0400
Message-ID: <CAHbrMsCx2-z7n3QHmtos5CESSzVbzB=BERjqE7ar941J=S3rGA@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000571ab605715bfbff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/neHr7QFOD4U4uYSfPf23BsJJtGM>
Subject: Re: [Doh] New Version Notification for draft-dickinson-doh-dohpe-00.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:39:33 -0000
On Thu, Jul 19, 2018 at 10:52 AM Sara Dickinson <sara@sinodun.com> wrote: > > > On 18 Jul 2018, at 16:22, Ben Schwartz <bemasc@google.com> wrote: > > I think this draft could use review from readers familiar with HTTP. I > hope that people with knowledge of HTTP will help us to understand whether > this draft's recommendations would result in a significant increase in user > privacy. > > > Completely agree. > > > For the draft's authors, I have a question: does this draft's "privacy > threat model" include a DOH server that uses active measures to > differentiate clients? Or is it scoped only to passive discrimination > between different client implementations? > > > Both of these. > OK. In that case, I think the draft would need to cover all the client's error handling, redirect following, and retry logic, i.e. any behavior the server could observe by generating targeted or malformed responses. This sounds challenging. This is also true for the underlying DNS implementation. Even without HTTP or TLS, I suspect that by similar methods (using malformed responses or exercising various unusual features), a recursive resolver could identify the stub resolver software with high precision. As Martin points out, the HTTP aspect of this is fairly widely applicable, outside of DOH. I think the same is probably true of the DNS side. Thus, one possibility would be to address those aspects separately. > As for other issues, I think the draft might need to consider header order. > > > Yes - a couple of other folks have mentioned that too. > > I also couldn't find an easy list of mandatory headers in RFC 7540, so > that list might be worth repeating. > > > There doesn’t seem to be a simple example in any draft I found so the > current text is a bit of a cop-out. I was wondering if it would make more > sense to have the list in draft-ietf-httpbis-bcp56bis-06 as a general > clarification and then this document could reference that? > > Or Stephane suggested pointing to RFC 7230 (plus a bit of RFC 7231) > instead. But actually I now think example messages would be the most > explicit way to show what DoHPE messages should look like. > > Sara. > > > > On Wed, Jul 18, 2018 at 10:03 AM Sara Dickinson <sara@sinodun.com> wrote: > >> Hi All, >> >> We’ve just submitted a very short draft outlining a privacy profile for >> DoH called DoHPE. >> >> It is very basic at the moment but it would be great to get some feedback >> on the idea here and to see if the WG sees this as something that should go >> through this group or head somewhere else. Since the guidelines are purely >> HTTP related, this does feel like the right audience to review the document >> at least in the first instance. >> >> Sara. >> >> >> Begin forwarded message: >> >> *From: *internet-drafts@ietf.org >> *Subject: **New Version Notification for >> draft-dickinson-doh-dohpe-00.txt* >> *Date: *18 July 2018 at 09:58:48 GMT-4 >> *To: *"Sara Dickinson" <sara@sinodun.com>, "Willem Toorop" < >> willem@nlnetlabs.nl> >> >> >> A new version of I-D, draft-dickinson-doh-dohpe-00.txt >> has been successfully submitted by Sara Dickinson and posted to the >> IETF repository. >> >> Name: draft-dickinson-doh-dohpe >> Revision: 00 >> Title: DoHPE: DoH with Privacy Enhancements >> Document date: 2018-07-18 >> Group: Individual Submission >> Pages: 8 >> URL: >> https://www.ietf.org/internet-drafts/draft-dickinson-doh-dohpe-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-dickinson-doh-dohpe/ >> Htmlized: https://tools.ietf.org/html/draft-dickinson-doh-dohpe-00 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-dickinson-doh-dohpe >> >> >> Abstract: >> This document describes DoHPE (DoH with Privacy Enhancements) - a >> privacy and anonymity profile for DoH [I-D.ietf-doh-dns-over-https] >> clients. The profile provides guidelines on the composition of DoH >> messages, designed to minimize disclosure of identifying information. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> The IETF Secretariat >> >> >> _______________________________________________ >> Doh mailing list >> Doh@ietf.org >> https://www.ietf.org/mailman/listinfo/doh >> > >
- [Doh] New Version Notification for draft-dickinso… Sara Dickinson
- Re: [Doh] New Version Notification for draft-dick… Ben Schwartz
- Re: [Doh] New Version Notification for draft-dick… Sara Dickinson
- Re: [Doh] New Version Notification for draft-dick… Martin Thomson
- Re: [Doh] New Version Notification for draft-dick… Ben Schwartz
- Re: [Doh] New Version Notification for draft-dick… Patrick McManus