On May 5, 2019, at 9:25 PM, Martin Thomson <[email protected]> wrote: > No mention here of how you get the name for certificate validation still. > That's still important.
We wrote a procedure where an endpoint can see if the local network's DNS servers are already on the endpoint's trust list (e.g., you trust your ISP's DoH server, visit a friend using that same ISP so you want to trust that same configuration at your friend's house). When joining a network where you don't trust that network's DNS servers, the user is asked if they want to trust that network's DNS servers for DoH. We also added some policy communication so the user can determine if they like the DNS server's policies (e.g., selling browsing history, filtering malware, etc.). With the policy information, the endpoint could avoid bugging the user if that network's DoH policies aren't at all aligned with the user's desires (e.g., user always wants malware filtering or wants parental filtering). https://tools.ietf.org/html/draft-reddy-dprive-bootstrap-dns-server-02#section-3 Earlier versions of that same I-D did different things; we have reduced scope considerably. -d _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
