Re: [Secdispatch] Request for a slot at the Secdispatch IETF 113 Session
Eric Rescorla <ekr@rtfm.com> Tue, 22 March 2022 09:55 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6D13A0D79 for <secdispatch@ietfa.amsl.com>; Tue, 22 Mar 2022 02:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtzOLc3HVnT2 for <secdispatch@ietfa.amsl.com>; Tue, 22 Mar 2022 02:55:50 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B653A0D6F for <secdispatch@ietf.org>; Tue, 22 Mar 2022 02:55:50 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id e22so19541200ioe.11 for <secdispatch@ietf.org>; Tue, 22 Mar 2022 02:55:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dYIikbro8MQONlnUdfqqz1dNDE4j+nLp68aa9oNmfhM=; b=niIzaTeVKPGNIaEh42eq5lM+ALBik7s5h1EQfA47Axxz4cKI2f7Ns4QJ3rh/edHDoY 0JdVXht+Cq9C8dKi5EHKISdYCHI9yKJQpsTnnbx5TJuDnduZDh3qem5QfKK/CHxWANmv Z4XmE4kmcjGpoFUT0j8aoYaFABZxvGWqg9K3DawRv7TC+vgMSjHR4L80ajewH4x7Wtkg DScNQqWQDCi7BKDNZnzsxskE0G99BxhG4V1j10X4mpVrKaSLIIeLMGDiDPKq3nngrvJW 6A3pW0Jigd9yXEycY76Fexkh/zq39P+nXGoWZQE7aAU2ChPuC1QDpZ/1LgjJwqiljkPa Korg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dYIikbro8MQONlnUdfqqz1dNDE4j+nLp68aa9oNmfhM=; b=5BHFBwdBLA2wPrKymFU2nI2FIJpH5E8ZdRVxyOAOUFWn2n9FGDOlz4Nsn3jL0OYuGV iOz9r/HV3TdLAd1b2iVYkRfRzEX4N3o9KeMjDs2znfeJtq+zphCbxZuft7Ap94IQV92c OeeEkhfbuv2CDkTa0j71xVsN/EhmqxRdRMZDWb1h3DuUqllThqch2DQMm6jr5hQkjltm rJyeov2TZL0BeRJRGIMrjwsZxGolVSD5mL0DkhVMZKZqyZ+9IN31Rnf2hOorWOOJTBBn 41HTm0Ntiu2Jo7BO7E93pAVdiuNi6oHO8z2ZuxUiTCBynF1kNfp3Hvp4swenYmrNdH8W R4kQ==
X-Gm-Message-State: AOAM5309XVuxTLLlX9kqxEsPMbewscMXPruHkE+qGWjCFimpB+Uz47h5 9dR6W9vpb9S8gFIGQEyWJwoqup/dMvsw9rXqfpKfyg==
X-Google-Smtp-Source: ABdhPJxCYW1pgnP7D2b0WPIavxE81dyyK68lk6FwTCbJnYBmS/6ehBdKV8HjImhUAVmwub2TF/AqXuIqOxL2medoDXM=
X-Received: by 2002:a05:6602:26cd:b0:649:2bae:a63a with SMTP id g13-20020a05660226cd00b006492baea63amr11981839ioo.148.1647942949484; Tue, 22 Mar 2022 02:55:49 -0700 (PDT)
MIME-Version: 1.0
References: <29ED5EBE-D5B5-435A-B32D-10BE19513A25@mnot.net> <940DBC69-34CA-41EC-ACEB-E3E562772038@gmail.com>
In-Reply-To: <940DBC69-34CA-41EC-ACEB-E3E562772038@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 22 Mar 2022 02:55:13 -0700
Message-ID: <CABcZeBN1zk8gXf2Sh1VqjM70cJ=WfnSGMady2V_hqOLgXGMrXQ@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, David Schinazi <dschinazi.ietf@gmail.com>, Andrew Campling <andrew.campling@419.consulting>, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d4c0505dacb9e31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/HcFX5wy4c78F5h3PtuPEtwQxS14>
Subject: Re: [Secdispatch] Request for a slot at the Secdispatch IETF 113 Session
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 09:55:55 -0000
On Tue, Mar 22, 2022 at 2:24 AM Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Mark, > > Sent from my mobile device > > > On Mar 21, 2022, at 10:17 PM, Mark Nottingham <mnot@mnot.net> wrote: > > > > I'm not going to be at SECDISPATCH, so I'll make my comments here. > > > > First, a general comment. Andrew, you seem to be forming a habit of > relying on 8890 to get air time for your arguments. That RFC's focus is on > encouraging the IETF community to consider the impacts of its actions > elsewhere. The only place it privileges those already active here is when > it talks about civil society organisations' ability to act as a channel for > engaging the broader Internet community. I don't believe you're acting in > that capacity here. > > > > I.e., your arguments should stand on their own -- invoking 8890 doesn't > reinforce them. > > > > Now, regarding the draft -- draft-campling-ech-deployment-considerations > seems to assume that the *only* viable way to scan for viruses, impose > parental controls, or control access to resources is by having a network > element impose it without coordination. Your draft supports this by noting > that transparent proxies are used because they're easier to administer than > on-endpoint software -- a viewpoint which privileges administrator > convenience and cost over user safety, and ignores other options. > > No hat - > > Are there more options than Safe Browsing and endpoint solutions? There > are DNS based solutions, but if DoH forces you to go to a dedicated DNS > server you don’t get that filtering. It’s more helpful if the alternative > options are spelled out as well as how solutions are used. Closing a > security gap before other solutions are viable or in place will only > exacerbate the very real problems faced by organizations and their users > experiencing attacks including random ware. > I think it's a mistake to locate the incompatibility with DNS-based filtering in DoH. Rather, it's a question of resolver selection. Specifically, the case of interest is the one where the client uses a different DNS server (DoH, DoT, or otherwise) than that proposed by the network. And that disagreement happens when the network does not have practical control over the client (because otherwise it can force the client to use its preferred server). IOW, I don't think the question is the technical means by which said filtering happens, but whether the network can unilaterally impose filtering on the client. -Ekr
- [Secdispatch] Request for a slot at the Secdispat… Andrew Campling
- Re: [Secdispatch] Request for a slot at the Secdi… Kathleen Moriarty
- Re: [Secdispatch] Request for a slot at the Secdi… David Schinazi
- Re: [Secdispatch] Request for a slot at the Secdi… Andrew Campling
- Re: [Secdispatch] Request for a slot at the Secdi… Mark Nottingham
- Re: [Secdispatch] Request for a slot at the Secdi… Kathleen Moriarty
- Re: [Secdispatch] Request for a slot at the Secdi… Salz, Rich
- Re: [Secdispatch] Request for a slot at the Secdi… Eric Rescorla
- [Secdispatch] dispatching draft-campling-ech-depl… Stephen Farrell
- [Secdispatch] about draft-campling-ech-deployment… Michael Richardson