Hi,
I think that aggregation with Content is generally undesirable in terms of DoH. However there are use cases for authentication of a DoH channel for enterprise scenarios that we should not simply dismiss as a ‘user tracking’ mechanism. For example if an enterprise wants to build a Zero Trust solution and protect their private domain names to only those users authorized to access them. In such a case, the enterprise would want an authenticated DoH channel to do that. That authentication could be via mTLS on the DoH tls channel, OAuth or even WebAuthN. The point being there is a valid use case for doing this in a client implementation. -Vinny From: Andrew Campling <[email protected]> Sent: Sunday, October 11, 2020 4:23 PM To: Christian Huitema <[email protected]>; Tommy Pauly <[email protected]> Cc: Eric Orth <[email protected]>; [email protected]; James <[email protected]>; Vinny Parla (vparla) <[email protected]> Subject: RE: [dns-privacy] DNS and QUIC,HTTP/3 Long term vision... On 10/10/2020 2:28 AM, Christian Huitema wrote: On 10/9/2020 3:32 PM, Tommy Pauly wrote: Hi Andrew, At least the cookie aspect of this isn’t just a “best practice” of one implementer, but something indeed built into the protocol spec (https://tools.ietf.org/html/rfc8484): Determining whether or not a DoH implementation requires HTTP cookie [RFC6265 <https://tools.ietf.org/html/rfc6265> ] support is particularly important because HTTP cookies are the primary state tracking mechanism in HTTP. HTTP cookies SHOULD NOT be accepted by DOH clients unless they are explicitly required by a use case. I think it is incorrect to characterize that DoH has a flawed design by basing itself on a protocol that allows cookies, or allows multiplexing. These are certainly tools provided by HTTP, but it is up to use them or not as appropriate. “Bad” implementations can put information in just about any protocol that could be used for tracking users. I am not sure about that. These days, if a protocol design allow it to be used for surveillance, you can be pretty sure that it will be. That’s my concern too. If the capability exists then it will be used, the opportunity for monetisation (and other negative outcomes) is too great. Maybe DoH should add a requirement for servers to reject requests on multiplexed connections, or reject requests that come with cookies attached. That would provide a strong incentive for clients to do the right thing. My European DNS Resolver Policy for resolver operators includes the following: “[operators of DNS resolver services] SHOULD NOT use or require HTTP cookies when communicating with DNS clients that use HTTP-based DNS transports for resolution”. Andrew
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
