IETF Logo Mail Archive

[Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt

Paul Hoffman <paul.hoffman@icann.org> Mon, 25 March 2019 11:37 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE8A1203BE for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 04:37:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DM0rYK-fRnpg for <doh@ietfa.amsl.com>; Mon, 25 Mar 2019 04:36:59 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E49B120390 for <doh@ietf.org>; Mon, 25 Mar 2019 04:36:59 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 25 Mar 2019 04:36:57 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 25 Mar 2019 04:36:57 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: DoH WG <doh@ietf.org>
Thread-Topic: Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
Thread-Index: AQHU4v8NDpajfuqh1EySiYPcfrHJQQ==
Date: Mon, 25 Mar 2019 11:36:56 +0000
Message-ID: <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org>
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org>
In-Reply-To: <20190325110136.GA23793@laperouse.bortzmeyer.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: text/plain; charset="utf-8"
Content-ID: <50FE70FE3746E542BAFA83A3D5EEC7E7@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tAd6bMpXA_aVvSw-kWCXXsRQBkc>
Subject: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 11:37:00 -0000

On Mar 25, 2019, at 12:01 PM, Stéphane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> Otherwise, even after reading the whole thread "Reviewing
> Resolver-Associated DOH", I don't understand why https is required in
> section 2. We don't require DNSSEC in section 3, so why having
> stronger requirments for HTTP? Since having certificates for IP
> addresses will be difficult in practice, why not just accepting http
> as well as https? (Or, <horror>https without cert. checking</horror>.)

The reason I didn't drop down to http: is that doing so evokes the <horror> response, even though you are quite correct that the other two methods given in this document do not offer any authentication. So, let me ask the WG:

Would this document be better off with all three methods being equally unauthenticated? Doing so would remove the "but you can't get IP address certificates!" argument that keeps coming up (even though that is overstated). Doing so would simplify the security considerations by making all three protocols have the same obvious weakness.

An alternative is to have two URI, one with https: and one with http:, and explain that trying the first might be a good idea but to fall back to the second if authentication fails.

Thoughts?

--Paul Hoffman

v2.23.0 | Report a Bug | By Email