[Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Paul Hoffman <paul.hoffman@icann.org> Mon, 25 March 2019 11:37 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE8A1203BE for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 04:37:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DM0rYK-fRnpg for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 04:36:59 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E49B120390 for <doh@ietf.org>; Mon, 25 Mar 2019 04:36:59 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 25 Mar 2019 04:36:57 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 25 Mar 2019 04:36:57 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: DoH WG <doh@ietf.org>
Thread-Topic: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Thread-Index: AQHU4v8NDpajfuqh1EySiYPcfrHJQQ==
Date: Mon, 25 Mar 2019 11:36:56 +0000
Message-ID: <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org>
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org>
In-Reply-To: <20190325110136.GA23793@laperouse.bortzmeyer.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <50FE70FE3746E542BAFA83A3D5EEC7E7@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tAd6bMpXA_aVvSw-kWCXXsRQBkc>
Subject: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 11:37:00 -0000
On Mar 25, 2019, at 12:01 PM, Stéphane Bortzmeyer <bortzmeyer@nic.fr> wrote: > Otherwise, even after reading the whole thread "Reviewing > Resolver-Associated DOH", I don't understand why https is required in > section 2. We don't require DNSSEC in section 3, so why having > stronger requirments for HTTP? Since having certificates for IP > addresses will be difficult in practice, why not just accepting http > as well as https? (Or, <horror>https without cert. checking</horror>.) The reason I didn't drop down to http: is that doing so evokes the <horror> response, even though you are quite correct that the other two methods given in this document do not offer any authentication. So, let me ask the WG: Would this document be better off with all three methods being equally unauthenticated? Doing so would remove the "but you can't get IP address certificates!" argument that keeps coming up (even though that is overstated). Doing so would simplify the security considerations by making all three protocols have the same obvious weakness. An alternative is to have two URI, one with https: and one with http:, and explain that trying the first might be a good idea but to fall back to the second if authentication fails. Thoughts? --Paul Hoffman
- [Doh] I-D Action: draft-ietf-doh-resolver-associa… internet-drafts
- [Doh] New version: draft-ietf-doh-resolver-associ… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Joseph Lorenzo Hall
- Re: [Doh] New version: draft-ietf-doh-resolver-as… nusenu
- Re: [Doh] [Ext] Re: New version: draft-ietf-doh-r… Paul Hoffman
- Re: [Doh] I-D Action: draft-ietf-doh-resolver-ass… Stephane Bortzmeyer
- Re: [Doh] [Ext] I-D Action: draft-ietf-doh-resolv… Paul Hoffman
- [Doh] Authentication in draft-ietf-doh-resolver-a… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Ralf Weber
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] Re: Authentication in draft-ietf-… Paul Hoffman
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Erik Nygren
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Erik Nygren
- Re: [Doh] [EXTERNAL] Re: Authentication in draft-… Winfield, Alister
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Thomas Peterson