Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13

Ted Lemon <ted.lemon@nominum.com> Mon, 13 July 2015 17:25 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6329A1B2C9E for <ietf@ietfa.amsl.com>; Mon, 13 Jul 2015 10:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2kmzHNyV2Di for <ietf@ietfa.amsl.com>; Mon, 13 Jul 2015 10:25:48 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CACE1B2C80 for <ietf@ietf.org>; Mon, 13 Jul 2015 10:25:48 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 730CFDA0077; Mon, 13 Jul 2015 17:25:48 +0000 (UTC)
Received: from [10.19.125.164] (50.242.119.237) by CAS-03.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.224.2; Mon, 13 Jul 2015 10:25:48 -0700
Message-ID: <55A3F49B.7060701@nominum.com>
Date: Mon, 13 Jul 2015 10:25:47 -0700
From: Ted Lemon <ted.lemon@nominum.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13
References: <CE03DB3D7B45C245BCA0D2432779493613FF7529@MX104CL02.corp.emc.com> <55A13B30.4070208@bogus.com> <DM2PR0301MB065593620A6E227EB2D5421CA89E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAHw9_iLS1BGmUfeUP7fX58QAZ4QmM72ZcTV6hZZwper40bG+=Q@mail.gmail.com> <DM2PR0301MB0655F71CD565888B3F1A4DCAA89E0@DM2PR0301MB0655.namprd03.prod.outlook.com> <55A2B3EE.9030406@nominum.com> <DM2PR0301MB06556CCF1464FCC56A4F3EF8A89D0@DM2PR0301MB0655.namprd03.prod.outlook.com> <55A2D520.60907@nominum.com> <tslio9odlz6.fsf@mit.edu>
In-Reply-To: <tslio9odlz6.fsf@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [50.242.119.237]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/xN9iUojHy0aVtELWcdCTfS8nqh4>
Cc: Christian Huitema <huitema@microsoft.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2015 17:25:52 -0000

Thinking about this a bit more, it seems to me that the advice that 
should be followed in the case of a captive portal is this:

- You must make it possible to resolve any names required to register 
using DNSSEC, whether you support DNSSEC or not.
- You should support DNSSEC
- You must make it possible to do all appropriate validation for any SSL 
certs that are required to validate the connection to the portal.
- You must use SSL for the portal, and you must use validate-able certs.

My concern is that while this is really good advice, there's no real 
incentive in place to get the captive portal vendors to implement this 
nor to get the captive portal providers to require it or set it up 
correctly.   There is some small cost to supporting broken portals, but 
by and large laying this cost off on the end user works.

Similarly, as you say, the host software provider has no incentive to 
require this functionality: for the most part, it simply makes life 
difficult for the end user.   At present, Google is actually pretty good 
about this; the result is that it's hard to use Google devices on 
networks with broken captive portals, which are of course endemic.   
Google seems not to have paid a price for this thus far, but I don't see 
other vendors doing what Google is doing.