IETF Logo Mail Archive

Re: [Ohttp] Discovery

Martin Thomson <mt@lowentropy.net> Fri, 18 June 2021 07:54 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: ohttp@ietfa.amsl.com
Delivered-To: ohttp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F76C3A4127 for <ohttp@ietfa.amsl.com>; Fri, 18 Jun 2021 00:54:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=T1uPtYhu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=f3t1tLzu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLcMPwCKHnw3 for <ohttp@ietfa.amsl.com>; Fri, 18 Jun 2021 00:53:54 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBBD43A4124 for <ohttp@ietf.org>; Fri, 18 Jun 2021 00:53:54 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id F04A01368; Fri, 18 Jun 2021 03:53:48 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute4.internal (MEProxy); Fri, 18 Jun 2021 03:53:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=vVXoDeQ5SXiyk9otjANTkBUaOzGg +kaQrVquXcq6uV4=; b=T1uPtYhufRMEntqHEyRBZUx2wDlL+Pe/L678vJTdNaLd MpWsudW00xZBh6aP29E6lf231/UN6TIflGHCUVrJz8rJLAPHQZDEezuk9snaHpt3 E5/4HidZSqrbtujfQub7lPPBY7hG3DvXB6q9aayAEeXKVwGa3DD8eiD2XTSeQepV S8gg5k20ftCMBgP3MPryRfCX4DRtWc0g5f33eaIC4iKdlfu5vb/Q057RGX/tt8Sc cdlyoWYmiBzCOm41/NJKgpgODTnFbkY908rls7HX1oiZKI1yGC5zcMaXiH0wkH2F Voee17DV8Pql39+ZxrQDbMhoKBDT5w/eGvngo5ABjA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=vVXoDe Q5SXiyk9otjANTkBUaOzGg+kaQrVquXcq6uV4=; b=f3t1tLzuleLPASeCKc6iXQ yDYZIIs5M7BC65EJU1kPSOLSGgYDIkREYJo8y5tu03mhj+95mcuDm8AFlWXO0Zxk u2y0t+AE76P9oZztB6LRVaeaWUMsi0ubII1iFkX0zHvXvJK0dw5dWKYKVTHu0hmC nNW7J77bYRIPUsRZgBRQJdZI/ZwKp7EDZxvMasHByLsA90+TcgiAreh64ho7uJfC BcK4XYOnHeN/wZrweCzGvPw/WElWFp7aIs421XUXTKmmeeHlGbteTQgk2iameJBH SE8+6/0WrMb4k42ZVJ8k9xdJcX8DlJhPolh9F1HuA6AqFWnvDF2v+G0wiTQt5n3Q ==
X-ME-Sender: <xms:C1HMYBsI7HnEFSkUE4vJtNPtaO4yd4Wuhf29skF0Q6fJbdhwhnu9qQ> <xme:C1HMYKfRoSPUWDSE4FQwBX2B6fGcD2gCd2wSoN3ldyFfoT-KmpJmxXdN-hcpzeqkh eK9CXNh1edMHZZG5XM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeefvddguddvfecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgr rhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenuc ggtffrrghtthgvrhhnpeekteeuieektdekleefkeevhfekffevvdevgfekgfeluefgvdej jeegffeigedtjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:C1HMYEymlp3WNP3aXJ_ijOeWBGTovVkRKR9YcpHuPdy9_mruZfbmrQ> <xmx:C1HMYIOCgO2UtKjoUjYkgqCqu3ufdkzjW3_7fBJF6KKLPQe4ZI22OQ> <xmx:C1HMYB8IAbwyCSr9EoWmzkHp4ypjignRJ5RdozVoUdreSp0dedW8gg> <xmx:DFHMYGLy-Y49QHcmsOoZ693uwVbj9xyV-iNPhnRgv13DOnRLmTYdDw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A2BD24E0097; Fri, 18 Jun 2021 03:53:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-526-gf020ecf851-fm-20210616.001-gf020ecf8
Mime-Version: 1.0
Message-Id: <238476f4-6bf9-4124-8146-e8c051b1b25f@www.fastmail.com>
In-Reply-To: <1F7246CE-589A-4B34-B514-AFA0F640A384@mnot.net>
References: <D8268CF8-94DA-4E91-9286-4E45B8E26CB6@mnot.net> <c57ed5b0-c17a-0bca-f42a-dafaa1725792@lear.ch> <1F7246CE-589A-4B34-B514-AFA0F640A384@mnot.net>
Date: Fri, 18 Jun 2021 17:53:29 +1000
From: Martin Thomson <mt@lowentropy.net>
To: ohttp@ietf.org
Cc: Eliot Lear <lear@lear.ch>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohttp/lB-qLRAey0YiLOpdg_ar0jn4Xe4>
Subject: Re: [Ohttp] Discovery
X-BeenThere: ohttp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Oblivious HTTP <ohttp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohttp>, <mailto:ohttp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohttp/>
List-Post: <mailto:ohttp@ietf.org>
List-Help: <mailto:ohttp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohttp>, <mailto:ohttp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2021 07:54:00 -0000

Eliot, this line of argumentation is starting to smell like sealioning.  I know that you don't intend that, but maybe you could make some concrete suggestions for what needs to happen.  I think we're past the point where you don't understand what is being proposed.

It's OK if you want to say "don't standardize this".  That's a valid opinion.  We can then disagree.  But it sounds like you think that there is something we (collectively) need to be doing and it would really help to have that stated clearly.

On Fri, Jun 18, 2021, at 17:21, Mark Nottingham wrote:
> In any case, a similar approach can be taken. If someone has access to 
> the machine to install a MITM cert, they can configure the machine to 
> stop or re-route this mechanism. You may be worried that some vendors 
> may demur from making that easy to do, but that's a problem for the 
> market to solve, not the IETF. This should not affect the design of the 
> protocol.

I would also point out that this is going to be quite obvious to a proxy that is able to intercept connections.  That is not substantially different than CONNECT or MASQUE or any of the VPN protocols that exist (both inside and outside of the IETF).

As for endpoint-level controls, I'm guessing that we would probably rely on OHTTP being turned off entirely, rather than enable some sort of interception control, but we haven't gotten that far in terms of detailed planning.  That applies to DoH and telemetry both.  A lot of our enterprise deployments disable both already.

v2.23.0 | Report a Bug | By Email