IETF Logo Mail Archive

Re: [Doh] Privacy Considerations Text (#2)

Patrick McManus <pmcmanus@mozilla.com> Mon, 25 June 2018 23:40 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B464C130EF2 for <doh@ietfa.amsl.com>; Mon, 25 Jun 2018 16:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPt78uN1D3vm for <doh@ietfa.amsl.com>; Mon, 25 Jun 2018 16:40:22 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id AB37C130E5C for <doh@ietf.org>; Mon, 25 Jun 2018 16:40:22 -0700 (PDT)
Received: from mail-ot0-f175.google.com (mail-ot0-f175.google.com [74.125.82.175]) by linode64.ducksong.com (Postfix) with ESMTPSA id 469023A02B for <doh@ietf.org>; Mon, 25 Jun 2018 19:40:21 -0400 (EDT)
Received: by mail-ot0-f175.google.com with SMTP id i19-v6so17019683otk.10 for <doh@ietf.org>; Mon, 25 Jun 2018 16:40:21 -0700 (PDT)
X-Gm-Message-State: APt69E3qBYnWWlOyavZyTk1GbiixtubWcyeH6ZoyDZfaocW4SnTjIQhM rsv0VFYaNzfIHI9wAtAwCWfuQSmfwtcwUcPm/qs=
X-Google-Smtp-Source: AAOMgpdFFEf0WC97fqte6GVJLzZC92Xt8Xcw8D3USnDJ5TcQ3nvqnMLXd3lvVx3fnnntpA1zKW15oWRjZhZDtdAPdlg=
X-Received: by 2002:a9d:1bd6:: with SMTP id v22-v6mr9029174otv.85.1529970020961; Mon, 25 Jun 2018 16:40:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a22:0:0:0:0:0 with HTTP; Mon, 25 Jun 2018 16:40:20 -0700 (PDT)
In-Reply-To: <DAE6BABB-668E-4AAA-9BAC-4CFEADB2358D@sinodun.com>
References: <CAOdDvNpGSw6SP6COgJuJR_y2i1BjPWy3_i14vCYUP3jq6=zGuQ@mail.gmail.com> <0c003af5-6258-6de5-fdaf-161402c60b4d@riseup.net> <DAE6BABB-668E-4AAA-9BAC-4CFEADB2358D@sinodun.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 25 Jun 2018 19:40:20 -0400
X-Gmail-Original-Message-ID: <CAOdDvNqWjE22Uss6ZWhtZgg9LZw1dSRCOxsU9C1UqwaMS0vx7w@mail.gmail.com>
Message-ID: <CAOdDvNqWjE22Uss6ZWhtZgg9LZw1dSRCOxsU9C1UqwaMS0vx7w@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009dd39d056f7fe719"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/yeeJAvss6OXryQD48wqtt4iKUQc>
Subject: Re: [Doh] Privacy Considerations Text (#2)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 23:40:25 -0000

Hi Sara,


+ ### DNS Specific considerations
> +
> + Whilst DNS transports will generally carry the same privacy properties
> of the
> + layers used to implement them the standard DNS wireformat itself notably
> + contains no client identifiers.
>

That's mostly true imo (modulo perhaps edns client subnet)

Using HTTPS as a transport therefore introduces
> + new privacy concerns over DNS over UDP, TCP or TLS (RFC7858) with regard
> to
> + additional data that may be visible to a DoH server compared to a DNS
> resolver.
>
>
I do agree that HTTP adds additional considerations, which is what the
existing text describes. But I don't agree with this sentence which,
significantly through the use of therefore, indicates HTTPS has client
identifiers and other transports do not.

The previous several paragraphs have enumerated client identifiers also
present in IP (therefore UDP), TCP, and TLS. Everything that transports
wireformat.

What if, instead, we add a new first paragraph to the "In the server"
section along the lines of

"The original DNS wireformat contains no client identifiers, however
various transports of the DNS wireformat do provide data that can be used
for request correlation. HTTPS presents new considerations for correlation
ranging from explicit HTTP cookies to implicit fingerprinting of the unique
set and ordering of request headers."



> + ### HTTP Specific considerations (#HTTPconsiderations)
>
>
I think this is largely what the paragraph that begins "The DoH protocol
design allows applications to fully leverage.." is conveying. Maybe it can
move towards what you are thinking.. wdyt of:


The DoH protocol design allows applications to fully leverage the HTTP
ecosystem, including features not enumerated here. Utilizing the full
set of HTTP features enables DoH to be more than an HTTP tunnel, but
also opens implementations up to the full set of privacy
considerations of HTTP.

Implementations of DoH clients and servers need to consider the
benefit and privacy impact of these features, and their deployment
context, when deciding whether or not to enable them. Implementations
are advised to expose the minimal set of data needed to achieve the desired
feature set.

v2.23.0 | Report a Bug | By Email