Dear Stephane, It is my responsibility to convey my message in more clear manners. The important thing for me is your response for which I must say thank you. Truly saying the statement you disagreed regarding "distinguishing and tracing an individual, requires to identify him/her first" is not mine. I referred it from "NIST Special Publication 800-122". Also, the summary of complete RFC7626 was not the my intention but among all the discussed issues, from a portion of the said RFC, I just pointed out these two. The working group is focused to develop standards to protect the Privacy of an end user due to the plain text messaging of DNS. In that case there should be some details about the issues that can reveal PII of end user instead of application or IP. When I capture DNS traffic in some sniffing tools such as Wireshark, Instead of other potential attacks regarding DNS protocol, I don't see how to map the problem with the PII of end user.
On Fri, May 13, 2016 at 5:38 PM, Stephane Bortzmeyer <[email protected]> wrote: > On Fri, May 13, 2016 at 03:39:54PM +0500, > Tariq Saraj <[email protected]> wrote > a message of 70 lines which said: > > > Dear group fellows, > > Frankly, I'm not sure I fully understand your message. > > > For distinguishing or tracing individual requires to identify > > him/her first. > > This is not true. It's the opposite: you trace an individual, without > knowing him and, if you want and can, you try to identify her. But, in > some use cases, tracing is enough (research in marketing, for > instance). > > > May I know if there is a document that can explain that the two main > > issues discussed in RFC7626 "Identification of IP and in some cases > > application" > > I disagree with this summary of RFC 7626. > > > can reveal Identity of an end user and how ? > > I don't think we have the same approach of security. You seem to say > that, while the attacker did not get everything he wanted, there is no > security problem. For me, if the attacker can get access to some > information HE HAS NO BUSINESS TO KNOW, if is already a security > issue. > > "My" approach is, by the way, the most common in security: do not wait > until the ennemy is in the dungeon: even if he is still at the gates, > you have a problem. > > > In simple the Impact of PM should be very clear regarding an end user > > understanding. > > Text welcome. > -- Regards Tariq Saraj
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
