Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
tirumal reddy <kondtir@gmail.com> Tue, 26 March 2019 10:46 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759F51202B0 for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 03:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBqXXFZI65Rg for <doh@ietfa.amsl.com>; Tue, 26 Mar 2019 03:46:38 -0700 (PDT)
Received: from mail-it1-x129.google.com (mail-it1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3088F1202A4 for <doh@ietf.org>; Tue, 26 Mar 2019 03:46:38 -0700 (PDT)
Received: by mail-it1-x129.google.com with SMTP id e24so18763920itl.1 for <doh@ietf.org>; Tue, 26 Mar 2019 03:46:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m2ZaQXvKHqkbj1v7qrkd1io9l+WO0xHmlBu44J5dU9I=; b=QnrA0voH3xprvDbFzeiwzuUIP1VzF1iCDbMT5L69JxUhKcKlezPNxaxBZJZUeIxUJ1 ESrKR+FHuUvtldlCN1kLKLwM5WdReEj4b5CZNoy+dvBvbv5mA4Pot5kpKbmL5Jn7Lque S5xVjz8e2glOmmhQLKQ/Pk3gsb7zbrzQeszrwdHpICmqCsgVm8WaDUBcLR/2uaKOcc8P wUFE42D4k7uIoKbiodXtJ1yVmXBid3IZJF9ndNO2ZLT9vwHIDZd1fvJt4SVGrv+em/1b vlHultpJu7nZXt45LBZLbnTVuGD6gpEzP9kAiP4kcGhOATfeL6qgxr6/W6yjs6vj5d12 i5Mw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m2ZaQXvKHqkbj1v7qrkd1io9l+WO0xHmlBu44J5dU9I=; b=AufvrCDXaclbA8Jjr5/BL0Leak/BLvtOKzZaABRIW9aGKtuYJ0mHUWE2g6KeMLvLEG zBQEvCTlixYXVGuvXwM4EFeKIMqSG2gBCI8xgifSzY1mn4A8lmZ+Rj1GjJ2RM+SXA/k6 dRKpPu7r9SGTy8fWnPPdmXsyKj8aMX5UIzHK/ku47lpaVvTp6jZBP3v9oogHNZEOYosk atKEinclnA1nCAKDGC8C+nWQ9eAMcOfGgfUG5GyEEKVX2DyXgmGSasYklQIJwLM8NUtb 5OWY9ukn4Ae0e6PplQLfWMElt9wXEG254Wcaao6jwJAtvC451tDepYkInptEzgML476d 49lw==
X-Gm-Message-State: APjAAAXArzOFuysx3zSvrszPSNZZniks7HYHl8PuHB5nN/6uQAm2ZGxC BIKjJxZR/QSw2uqSqbyZAp9ExQTqOZn7RxREvig=
X-Google-Smtp-Source: APXvYqzkllrrKdD34AXiPBvSrvovYT8271lPKfdFfDksPKOMiHPGfsedeadb+mRjEgTO1XLRMNErEyw78OqLEombECs=
X-Received: by 2002:a24:c842:: with SMTP id w63mr2677348itf.17.1553597197533; Tue, 26 Mar 2019 03:46:37 -0700 (PDT)
MIME-Version: 1.0
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com> <20190325110136.GA23793@laperouse.bortzmeyer.org> <08BD5718-CD1F-47B3-A4FB-4040F8E9FC4B@icann.org> <236b4e32-3184-9792-a162-e3db3d09922b@riseup.net> <CAFpG3gdU9g06hq+PTCVYZy7fG4A0QGAYmOrEEoPT5d4OiTom+w@mail.gmail.com> <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
In-Reply-To: <CAOdDvNr4RYhrVjVDyUeESUG-7tLWN-SXYw8QSderEbUGLXSpwg@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 26 Mar 2019 11:46:26 +0100
Message-ID: <CAFpG3ge3D+trHPTvXGARgmyrCsxeFbQhSX--nUdT9-5t0xN7Tg@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001544b60584fd096a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/zK40AmAtf7YKuLzLuPFr8w8t2MM>
Subject: Re: [Doh] Authentication in draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 10:46:40 -0000
On Tue, 26 Mar 2019 at 11:25, Patrick McManus <mcmanus@ducksong.com> wrote: > > > On Tue, Mar 26, 2019 at 9:48 AM tirumal reddy <kondtir@gmail.com> wrote: > >> >> Agreed, and with our proposal in >> https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02, >> the query for URI templates can use FQDN instead of >> IP address, and the HTTPS server certificate can be validated by the DoH >> client. >> >> > right. The weakness here is that validating a name that probably comes > from an unauthenticated source is not a very strong signal. > No, the name is coming from a authenticated source. The explicit trust store to validate the local DoH server certificate can also be used to validate the S-NAPTR lookup response is authentic using DNSSEC. > That seems inherent in the draft, but maybe worth calling out more > explicitly. > > otoh - and out of scope for this draft - the DoH client could do some kind > of validation beyond the name.. like looking for a x509 attribute (and > cross signature) indicating some kind of better-business like endorsement > of privacy practices. > The draft discusses a privacy certificate extension that helps the endpoint identify the privacy preserving data policy of the DNS server. The extension contains a URL that points to the privacy preserving data policy. > So I think validation in the scope of associated-resolver is a desirable > property even though the usually validated thing, the name, is a little > less valuable here. > The name is a reference identifier for validating the local DoH server certificate. Cheers, -Tiru > > >
- [Doh] I-D Action: draft-ietf-doh-resolver-associa… internet-drafts
- [Doh] New version: draft-ietf-doh-resolver-associ… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Joseph Lorenzo Hall
- Re: [Doh] New version: draft-ietf-doh-resolver-as… nusenu
- Re: [Doh] [Ext] Re: New version: draft-ietf-doh-r… Paul Hoffman
- Re: [Doh] I-D Action: draft-ietf-doh-resolver-ass… Stephane Bortzmeyer
- Re: [Doh] [Ext] I-D Action: draft-ietf-doh-resolv… Paul Hoffman
- [Doh] Authentication in draft-ietf-doh-resolver-a… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Ralf Weber
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] Re: Authentication in draft-ietf-… Paul Hoffman
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Erik Nygren
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Erik Nygren
- Re: [Doh] [EXTERNAL] Re: Authentication in draft-… Winfield, Alister
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Thomas Peterson