Re: [Doh] WG Review: DNS Over HTTPS (doh)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 15/09/17 23:04, Paul Hoffman wrote:
> On 15 Sep 2017, at 14:44, Stephen Farrell wrote:
> 
>> On 15/09/17 20:25, Ted Hardie wrote:
>>> 
>>> This set of questions is pretty different from the ones you get
>>> with "function over different paths", because the locus of
>>> control moves from the mostly-trusted browser to the mostly not
>>> trusted downloaded application.
>> 
>> FWIW, I share Ted's concerns about origins. Regardless of what
>> approaches are taken, the effects of this need to be well
>> understood I think. I don't object to the WG being chartered though
>> but would suggest that there be a mention in the charter that the
>> WG needs to document the consequences, including the dangers, of
>> caching and re-use of DNS answers for likely implementations.
> 
> The charter already points to the document that the work will be
> based on, which has that topic in it, because *you* pointed it out in
> the earlier discussion of the document. As co-author on the document,
> I assure you we will not remove it, if for no other reason than I
> wouldn't want to face your wrath again in IETF Last Call. :-)

"Wrath" has to count a pretty speedy escalation in terms,
and especially when I'm so shy and retiring about saying
what I think:-)

I'm also confident that that security considerations will
cover this topic in some sense. I'm not confident that I
understand the relevant consequences at this point in
time, so ISTM useful to mention it in the charter as that
might help later.

> 
>> I'd be even happier if the resulting spec had a bunch of MUST NOT
>> statements about that, if such statements were likely to be
>> effective.
> 
> All MUST NOTs are only partially effective, but we use them anyway
> to help good implementers. 

Agreed. And sometimes we use them to describe damaging
things bad implementers might otherwise be likely to do
without realising the downsides.

> If you have some proposed MUST NOTs on
> the current document, by all means send them in.

Probably better in a different thread, but I think there
is scope for a MUST NOT (re-)use answers outside the same
origin, but I've no doubt there are subtleties there that
the WG would need to figure out and that'd make this
sentence a bad idea to include on it's own.

S.

> 
> --Paul Hoffman
>

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]