On Tue, 26 Oct 2021, 17:22 Vinny Parla (vparla), <[email protected]> wrote:
> Hi, > > Thanks for the feedback. > I think one of the issues here is that DNS (at the OS Resolver) level is > headless, meaning there may not be an interactive user logged into the > device – however the DoH connection would still need to have some type of > identity/auth for those use cases. > Historically there exist any number of static URL authentication hacks for this scenario - and we can be absolutely sure that a DoH connection requires a URL - from the mildly deprecated: http://user:[email protected]/resolve ...syntax, to the marginally more modern use of GET parameters to pass a token of some sort, on the URL. Of course there are downsides to adopting such mechanisms, but I presume we are talking about a niche edge case where the client stack exclusively supports a URL, and it would be nice for such a mechanism to reuse and be compliant with the existing H of DoH, rather than reinventing something wholly new for the D of DoH. -a mTLS can work for this – but the PKI headache for customers might be a > barrier. > > > I would prefer to use WebAuthN – but again that is an interactive-auth as > there is no facility in WebAuthN for doing Device-level identity assertions > today (headless) independent from the user identity. > > > > -Vinny > > > > *From:* Alec Muffett <[email protected]> > *Sent:* Tuesday, October 26, 2021 12:17 PM > *To:* Vinny Parla (vparla) <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [dns-privacy] DoH Identity / Authentication... > > > > > > On Tue, 26 Oct 2021, 17:10 Vinny Parla (vparla), <vparla= > [email protected]> wrote: > > I would appreciate your thoughts/comments on this… > > > > It sounds sensible to me. > > > > Please just make it usable via standard "curl" and/or amenable to standard > web load-balancing. > > > > Or simply ratify Auth/Basic and go from there? > > > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication > > > > -a > > > > > > >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
