On Fri, Oct 24, 2014 at 11:41 AM, Daniel Kahn Gillmor <[email protected] > wrote:
> On Thu 2014-10-23 22:44:19 -0400, Phillip Hallam-Baker wrote: > > On Thu, Oct 23, 2014 at 7:50 PM, Daniel Kahn Gillmor < > [email protected]> > > wrote: > > > I am all for the service user being anonymous. I do not want to use an > > anonymous service though. > > Right, so you're saying "promiscuously using arbitrary recursive > resolvers is a bad idea", but not that "promiscuous recursive resolvers > are a bad idea". > Yes, I want to make sure that the user: 1) Gets to the same discovery service every time. 2) Has a means of checking they get to the discovery service they expect on first contact. 3) Don't need to think about security after first contact. (3) is the reason I don't want to go the DTLS route after first contact. TLS depends on the user checking the padlock icon in the corner of the browser. So how would a DNS scheme work, two padlocks?? If the user isn't checking then we have a possibility of substitution attacks etc. Using TLS once to set up a client/resolver connection is feasible. That is a case where we can use the full PKIX stack and EV and logotypes etc. But after that, DNS has to go right under the covers. But we only need to do that if (2) is actually a requirement which it might not be. Someone who is currently happy using 8.8.8.8 is probably going to be ok with a setup dialog where they type in a domain name and everything is automatic from there. Secure after first contact is probably good enough for them. I can make a case for better than secure on first contact as well. But I don't think I will win that argument in the market if its only private DNS on offer. But what would make that attractive is if I can bind a machine to a package of security services all in one go. So the user types in myemployer.com and the machine sets up a secure connection to the AV signature/scanner service, the PKI service, the two factor auth service and of course the private DNS. Now obviously using the connection service for anything other than DNS is out of scope. But designing a reusable architecture increases the chance that it is going to be worthwhile for people to use the system securely.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
