On Wed, Dec 18, 2019 at 5:45 AM Sara Dickinson <[email protected]> wrote:
> > > > On 29 Nov 2019, at 15:39, Stephen Farrell via Datatracker < > [email protected]> wrote: > > > > Reviewer: Stephen Farrell > > Review result: Ready > > Hi Stephen, > > Thanks for reviewing (again)! > > > > > I might not be the best reviewer for this one as I've read it a few times > > before. But anyway, I scanned the diff [1] with RFC7626 and figure it > > seems fine. > > > > The only thing that occurred to me that seemed missing was to note > > that while the new privacy analysis in 3.5.1.1 is already complex, many > > systems are mobile and hence an analysis that ignores that won't be > > sufficient. For a mobile device one really needs to analyse all of the > > possible setups, and hence it's even harder to get to a good answer. > > (It could be that that's elsewhere in the document but since I only > > read the diff, I didn't see it:-) > > There was a bit of discussion about this and the following text in 3.4.1 > was added: > > “ It is also noted that typically a device connected _only_ to a modern > cellular network is > > o directly configured with only the recursive resolvers of the IAP > and > o all traffic (including DNS) between the device and the cellular > network is encrypted following an encryption profile edited by the > Third Generation Partnership Project (3GPP [2]). > > The attack surface for this specific scenario is not considered here." > This seems insufficient. We don't generally assume that the encryption in mobile access networks is secure, if only for operational complexity reasons. So I think this case could do with rather more text. -Ekr > > Which hopefully covers this? > > Sara > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
