Re: [Doh] WGLC #2

Patrick McManus <pmcmanus@mozilla.com> Wed, 23 May 2018 22:36 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFA14124D37 for <doh@ietfa.amsl.com>; Wed, 23 May 2018 15:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ff6XXM5YXyMB for <doh@ietfa.amsl.com>; Wed, 23 May 2018 15:36:43 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 8A108127369 for <doh@ietf.org>; Wed, 23 May 2018 15:36:43 -0700 (PDT)
Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49]) by linode64.ducksong.com (Postfix) with ESMTPSA id CCB063A069 for <doh@ietf.org>; Wed, 23 May 2018 18:36:42 -0400 (EDT)
Received: by mail-oi0-f49.google.com with SMTP id k5-v6so21018955oiw.0 for <doh@ietf.org>; Wed, 23 May 2018 15:36:42 -0700 (PDT)
X-Gm-Message-State: ALKqPwfn297y42WftgBdthIinYzcr7t2UFMCn9ReYPGLRCR2ZycBnFf8 NbwXI9O9ptHTproY6grFZNHpZZyQve7DV+DiWCs=
X-Google-Smtp-Source: AB8JxZpPEw9HTbaXRPjzXQq2muEji+TV7AWcrgGtN5xMaRxq5hscxu4CvWgOa34khO6SOIsWo1r5INXwEAEQcKk91LA=
X-Received: by 2002:a54:4e8a:: with SMTP id c10-v6mr2460390oiy.155.1527115002450; Wed, 23 May 2018 15:36:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a24:0:0:0:0:0 with HTTP; Wed, 23 May 2018 15:36:41 -0700 (PDT)
In-Reply-To: <D1464654-B1AB-4D10-93A5-2B2CBE100DE5@bangj.com>
References: <CAHbrMsCxkogJ-fzubf7cPgvbeGAhWUFKV3crrmn4ee6=fDnqwQ@mail.gmail.com> <382ba525100a4561b086fe8b8b6527be@ustx2ex-dag1mb3.msg.corp.akamai.com> <603D7553-D1A9-4DCC-9E74-199059C56A9F@sinodun.com> <CAOdDvNrW0qGn1V1s+fWhtn+LV-YiNEu66wp030_Jv-7EW2WhgA@mail.gmail.com> <64EB3BCA-64D2-47DB-8F0E-D323451F0025@bangj.com> <CAOdDvNoT=dF9V+jT-Rg_3SPTCiE7uF7QCrA6eGbSN2kXYiRPqA@mail.gmail.com> <D1464654-B1AB-4D10-93A5-2B2CBE100DE5@bangj.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 23 May 2018 18:36:41 -0400
X-Gmail-Original-Message-ID: <CAOdDvNp3+SUQC4enrCJ=f-yjrWgH6mK76hYqJSbf19QwjOdp4w@mail.gmail.com>
Message-ID: <CAOdDvNp3+SUQC4enrCJ=f-yjrWgH6mK76hYqJSbf19QwjOdp4w@mail.gmail.com>
To: Tom Pusateri <pusateri@bangj.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, DoH WG <doh@ietf.org>, Sara Dickinson <sara@sinodun.com>, "Hewitt, Rory" <rhewitt=40akamai.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000409af6056ce72bec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/uy02Xm6rgezxlXkEzDi3aEi-_i4>
Subject: Re: [Doh] WGLC #2
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 May 2018 22:36:45 -0000

I don't find the text confusing at all. If you're asking how someone making
a configuration decision decides something is trustworthy, that's not in
scope here (just as the selection of PKI roots are not in scope for HTTPS).
>From the pov of the protocol, a URI is designated as trustworthy via
configuration. The explicit point being made here is that URIs discovered
in some other fashion are not considered trusted by this spec.



On Wed, May 23, 2018 at 6:03 PM, Tom Pusateri <pusateri@bangj.com> wrote:

>
>
> On May 23, 2018, at 5:57 PM, Patrick McManus <pmcmanus@mozilla.com> wrote:
>
>
>
> On Wed, May 23, 2018 at 5:53 PM, Tom Pusateri <pusateri@bangj.com> wrote:
>
>>
>>  -DNS API client MUST only use a DNS API server that is configured as
>> trustworthy.
>>
>>
>> How do you define trustworthy? This seems like it would vary for
>> different clients and servers in different environments.
>>
>
>
> that paragraph says you do it through the configuration. That's not being
> changed here.
>
>
> But how does an implementor of the spec ensure something is “configured as
> trustworthy”?
>
> All the implementor can do is allow it to be configured.
>
> Tom
>
>
>