A client-side perspective: For Chrome browser, we have deliberately avoided any sort of support for client/device/user identity in DoH. E.g., Chrome's normal support for mTLS is completely disallowed through Chrome DoH, and even simple stuff like cookies is disallowed (Chrome never sends or saves cookies for DoH connections). This is primarily due to privacy concerns. We didn't want DoH to lead to an increase in user trackability through DNS.
It's pretty clear that there are usecases, especially for enterprise, where this sort of stuff would be very desirable, but we have so far held to the policy that OS's are better positioned than browsers to tell when it's a good idea and desired by the user/admin vs a privacy vulnerability. So unless we come up with some solution to resolve privacy concerns, Chrome browser will not likely directly support any of this work, but I think there's still a big role for this technology in other clients and I think DPRIVE is a good place for it to be discussed. On Tue, Oct 26, 2021 at 1:00 PM Vinny Parla (vparla) <vparla= [email protected]> wrote: > Hi Bill, > > One of the issues with mTLS is the PKI burden on customers. There also is > not a good way to convey both device and user in mTLS (e.g. you can't have > independent authentications of user and device within the single mTLS > exchange). Most of the customers we have spoken with have a preference to > have both. > > -Vinny > > -----Original Message----- > From: Bill Woodcock <[email protected]> > Sent: Tuesday, October 26, 2021 12:50 PM > To: Alec Muffett <[email protected]> > Cc: Vinny Parla (vparla) <[email protected]>; [email protected] > Subject: Re: [dns-privacy] DoH Identity / Authentication... > > > > > On Oct 26, 2021, at 6:16 PM, Alec Muffett <[email protected]> > wrote: > > > > > > > > On Tue, 26 Oct 2021, 17:10 Vinny Parla (vparla), <vparla= > [email protected]> wrote: > > I would appreciate your thoughts/comments on this… > > > > > > It sounds sensible to me. > > > > Please just make it usable via standard "curl" and/or amenable to > standard web load-balancing. > > > > Or simply ratify Auth/Basic and go from there? > > > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication > > I had initially been thinking that it would be good to support both web > Auth and mutual TLS, but the more I talk with people about it, the more it > looks like we should just do TLS. So in the absence of a really compelling > argument for supporting both, along with all of the future overhead it > entails, my current position is mutual TLS only. > > -Bill > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy >
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
