> On 10 Dec 2016, at 08:52, Stephane Bortzmeyer <[email protected]> wrote: > > On Thu, Dec 08, 2016 at 09:51:51AM +0000, > Sara Dickinson <[email protected]> wrote > a message of 138 lines which said: > >> Just to follow up on Tim’s mail. Any reviews of >> https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/ >> <https://datatracker.ietf.org/doc/draft-ietf-dprive-dtls-and-tls-profiles/> >> would be much appreciated to try to wind up the WGLC asap. >
Hi Stephane, > I've read draft-ietf-dprive-dtls-and-tls-profiles-07 and I've little > to add to what I said in > <https://mailarchive.ietf.org/arch/msg/dns-privacy/qKI3hnyCDywqYqCxFIyRDkYOvIA> > The points I raised there have been well addressed. Thanks for that. > > I'm still a bit concerned about the issue of detection (that there is > an attack). Detection for passive attacks is only possible if there is > a prior history, unlike the detection for active attacks, I’m not sure it is true that detection requires prior history, it just makes any attack more obvious. In this text "However, if it is available and the user is informed that an unencrypted connection was used to connect to a server then the user should assume (detect) that the connection is subject to both active and passive attack since the DNS queries are sent in clear text. This might be particularly useful if a new connection to a certain server is unencrypted when all previous connections were encrypted. " I was trying to indicate that simply using clear text is essentially the same as an attack because the traffic _can_ be subject to passive eavesdropping. Would it help to replace the “N, D” labels in the table with just “N” and update the text to say “N == no protection, may be subject to attack” Sara. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
