Re: [ietf-privacy] Fwd: draft-huitema-dnssd-privacy-01.txt

"Christian Huitema" <huitema@huitema.net> Thu, 23 June 2016 18:27 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9904612D5C0 for <ietf-privacy@ietfa.amsl.com>; Thu, 23 Jun 2016 11:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYfL59v8T6VN for <ietf-privacy@ietfa.amsl.com>; Thu, 23 Jun 2016 11:27:47 -0700 (PDT)
Received: from xsmtp05.mail2web.com (xsmtp05.mail2web.com [168.144.250.245]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B50F012D5C6 for <ietf-privacy@ietf.org>; Thu, 23 Jun 2016 11:27:46 -0700 (PDT)
Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1bG9Lp-0005VE-Mb for ietf-privacy@ietf.org; Thu, 23 Jun 2016 14:27:45 -0400
Received: (qmail 13933 invoked from network); 23 Jun 2016 18:27:41 -0000
Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.160.201]) (envelope-sender <huitema@huitema.net>) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ietf-privacy@ietf.org>; 23 Jun 2016 18:27:40 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Joseph Lorenzo Hall' <joe@cdt.org>, 'Tim Chown' <Tim.Chown@jisc.ac.uk>
References: <DM2PR0301MB0655DA3D2AA9FD4FF08E5CA4A8500@DM2PR0301MB0655.namprd03.prod.outlook.com> <FC54AE01-0E03-4414-809E-5A5460F2FCFF@jisc.ac.uk> <CABtrr-UJU_PXwYZgRR0083GiAxTt4Jm0z0K3dh2m+o=vdvXw0w@mail.gmail.com>
In-Reply-To: <CABtrr-UJU_PXwYZgRR0083GiAxTt4Jm0z0K3dh2m+o=vdvXw0w@mail.gmail.com>
Date: Thu, 23 Jun 2016 11:27:39 -0700
Message-ID: <000801d1cd7c$ed0ac5c0$c7205140$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHRzJPrJ1oEm7MPO0C1G9rPY/tNnJ/3XaXA
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-privacy/jSzPlZSHAKBP0xVl-ZOJy4KFTjs>
Cc: ietf-privacy@ietf.org, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [ietf-privacy] Fwd: draft-huitema-dnssd-privacy-01.txt
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 18:27:53 -0000

Can we have that conversation on the DNS-SD mailing list?

The short answer to the finger printing question is that the proposed solution addresses the fingerprinting concerns. The publicly visible information is limited to "this unknown device publishes or use the DNS-SD privacy service." Neither the list of services published by the device, the specific attributes describing these services, the port numbers used by the services or the values of the priority and weight attributes in the SRV records are visible to random third parties. They are only accessed through the encrypted privacy discovery service.

The reference to QR code is a bit confusing. It comes from the section describing possible pairing solution. That section is not fully developed. In any case, there are no QR codes involved during actual discovery. To take the example of "two activists/journalists in Syria at a café," I would expect them to perform the pairing beforehand at some trusted location, then perform discovery as specified here using the privacy preserving mechanisms.


> -----Original Message-----
> From: Joseph Lorenzo Hall [mailto:joe@cdt.org]
> Sent: Wednesday, June 22, 2016 7:39 AM
> To: Tim Chown <Tim.Chown@jisc.ac.uk>
> Cc: ietf-privacy@ietf.org; Ralph Droms <rdroms.ietf@gmail.com>; Christian
> Huitema <huitema@microsoft.com>
> Subject: Re: [ietf-privacy] Fwd: draft-huitema-dnssd-privacy-01.txt
> 
> Thanks for this. Some comments:
> 
> * The last paragraph in Section 2.4 seems to be making the inevitable "what can
> we really do about fingerprinting?" argument. It would be great if you could
> acknowledge that despite the severe technical and practical limits on
> combatting fingerprinting, specifications should try their best to keep that
> surface area to a minimum. That may be too normative for this document?
> (Although, of course, it's clear you care about that!). As a pointer the w3c TAG
> had a great set of findings on unsanctioned tracking that included the following
> on fingerprinting:
> "because combatting fingerprinting is difficult, new Web specifications should
> take reasonable measures to avoid adding unneeded fingerprinting surface
> area. However, added surface area should not be a primary factor in
> determining whether to add a new feature."
> 
> * In 4.1.1 it says, "Strictly speaking, displaying and scanning QR-codes does not
> establish a secure private channel, as others could also photograph this code;
> but it is reasonable secure for the application area of private service discovery."
> Is this not a threat model from your two more casual use cases stated in the
> document? That is, if we change the use case to two activists/journalists in
> Syria at a cafe, would you choose a different design. (For example, have the
> service generate a short random code since that will be QR-ified
> anyway.) I recognize this is just one possible option here from the document
> and that others (like WoT PKI) might be more appropriate for my Syria example.
> 
> 
> On Wed, Jun 22, 2016 at 8:18 AM, Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
> > Hi,
> >
> > In the dnssd WG, we are developing methods to enable scalable
> > DNS-based service discovery, which in practice means enabling
> > mDNS/DNS-SD to work over multiple links within a site. As defined,
> > mDNS/DNS-SD are link-local protocols, not forwarded by routers. If
> > successful, one ‘win’ is that users with devices can discover services
> > that may be physically near them, but that lie in a different subnet.
> >
> > At a high level, the proposed solution works by clients/resolvers
> > sending queries to hybrid proxies running on specific subnets (which
> > may be manually configured in an enterprise scenario, or
> > auto-discovered in an unmanaged home network scenario), which then
> > issue local service discovery messages, the answers to which are relayed back
> to the originating querier.
> >
> > We’re encouraging discussion of privacy considerations in the WG. As a
> > result, we now have a draft (see below), including an initial proposal
> > for a solution, for which we’d welcome wider review. The draft also
> > addresses mDNS/DNS-SD privacy within single subnet scenarios.
> >
> > Feel free to comment here, or join the dnssd WG list and contribute there.
> >
> > Many thanks,
> > Tim & Ralph, dnssd WG co-chairs
> >
> > Begin forwarded message:
> >
> > From: Christian Huitema <huitema@microsoft.com>
> > Subject: [dnssd] FW: New Version Notification for
> > draft-huitema-dnssd-privacy-01.txt
> > Date: 10 June 2016 at 21:02:50 BST
> > To: "dnssd@ietf.org" <dnssd@ietf.org>
> > Cc: Daniel Kaiser <daniel.kaiser@uni-konstanz.de>
> >
> > Here is a new version of the "DNS-SD Privacy" draft. I co-authored it
> > with Daniel Kaiser. Daniel is completing his PhD at the University of
> > Konstanz, in Germany, studying issues related to privacy and
> > discovery. This new draft is in my opinion much improved from the
> > version 00 that I presented in Buenos Aires. You can read the abstract
> > below for the broad lines of the proposed solution. Or, better yet, read the
> draft and comment!
> >
> > -- Christian Huitema
> >
> >
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > Sent: Friday, June 10, 2016 12:35 PM
> > To: Christian Huitema <huitema@microsoft.com>; Daniel Kaiser
> > <daniel.kaiser@uni-konstanz.de>
> > Subject: New Version Notification for
> > draft-huitema-dnssd-privacy-01.txt
> >
> >
> > A new version of I-D, draft-huitema-dnssd-privacy-01.txt
> > has been successfully submitted by Christian Huitema and posted to the
> > IETF repository.
> >
> > Name: draft-huitema-dnssd-privacy
> > Revision: 01
> > Title: Privacy Extensions for DNS-SD
> > Document date: 2016-06-10
> > Group: Individual Submission
> > Pages: 26
> > URL:
> > https://www.ietf.org/internet-drafts/draft-huitema-dnssd-privacy-01.tx
> > t
> > Status:
> > https://datatracker.ietf.org/doc/draft-huitema-dnssd-privacy/
> > Htmlized:       https://tools.ietf.org/html/draft-huitema-dnssd-privacy-01
> > Diff:
> > https://www.ietf.org/rfcdiff?url2=draft-huitema-dnssd-privacy-01
> >
> > Abstract:
> >   DNS-SD allows discovery of services published in DNS or MDNS.  The
> >   publication normally discloses information about the device
> >   publishing the services.  There are use cases where devices want to
> >   communicate without disclosing their identity, for example two mobile
> >   devices visiting the same hotspot.
> >
> >   We propose to solve this problem by a two-stage approach.  In the
> >   first stage, hosts discover Private Discovery Service Instances via
> >   DNS-SD using special formats to protect their privacy.  These service
> >   instances correspond to Private Discovery Servers running on peers.
> >   In the second stage, hosts directly query these Private Discovery
> >   Servers via DNS-SD over TLS.  A pairwise shared secret necessary to
> >   establish these connections is only known to hosts authorized by a
> >   pairing system.
> >
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at tools.ietf.org.
> >
> > The IETF Secretariat
> >
> > _______________________________________________
> > dnssd mailing list
> > dnssd@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnssd
> >
> >
> >
> > _______________________________________________
> > ietf-privacy mailing list
> > ietf-privacy@ietf.org
> > https://www.ietf.org/mailman/listinfo/ietf-privacy
> >
> 
> 
> 
> --
> Joseph Lorenzo Hall
> Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
> 1401 K ST NW STE 200, Washington DC 20005-3497
> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871