On Sun, Mar 8, 2015 at 11:31 PM, Watson Ladd <[email protected]> wrote:
> On Sun, Mar 8, 2015 at 6:45 PM, Phillip Hallam-Baker > <[email protected]> wrote: > <snip> > > > > HTTPS privacy isn't the problem we are solving right now but DPRIV > privacy > > isn't going to be worth very much if the information we are securing is > then > > disclosed in the HTTP/HTTPS layer. So we have to solve DPRIV in a way > that > > does not paint us into a corner when we try to solve the next puzzle. > > But I don't see how using TLS 1.2 for a resolver to client connection > paints us into a corner when trying to solve SNI related leakage by > changes in TLS 1.3, in a way that using some other cryptographic > protocol doesn't. The information leaked by SNI when connecting to the > resolver is not the information looked up over that link. > Please read what I wrote rather than answering what you guessed I might have written. I am not concerned with the SNI issue in the DNS client resolver protocol and I have said that four times now. The SNI issue comes in the HTTPS session that the DNS discovery is being used to build. There are currently two places that the DNS names leak out, first in the DNS and then in the HTTP or HTTPS channel. For years this has created an impasse because the DNS folk would say 'no point in fixing the privacy leakage in DNS when it gets given out in TLS'. And then the TLS folk say that SNI isn't an issue in HTTPS because the name leaks in DNS. So we have to start somewhere and DNS is the place we are starting. But the protocol has to be layered in a way that makes sense. Either DNS is layered on TLS or vice versa. If there is mutual dependency we will have a very bad time trying to change either protocol in future. This is not a cryptography issue, it is a protocol design issue. There is no point in doing DPRIV unless we are going to eventually fix SNI in HTTPS for web browsing. > Sincerely, > Watson Ladd > > > > > _______________________________________________ > > dns-privacy mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/dns-privacy > > > > > > -- > "Those who would give up Essential Liberty to purchase a little > Temporary Safety deserve neither Liberty nor Safety." > -- Benjamin Franklin >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
