-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/20/2015 03:12 PM, internet-dra...@ietf.org wrote: > > https://datatracker.ietf.org/doc/draft-ietf-dnsop-onion-tld/ > *** 2.3 has a repeat "either".
2.6 reads correctly, but the more important reason IMO is the risk of privacy leak for the user. Similarly, the Security Considerations mention "leak the identity of the service that the user is attempting to access", which is grammatically correct but does not pinpoint that the user's privacy is the center of interest. Specifically, in 2.6, "leaking" the requested .onion to an authoritative DNS server that would implement NXDOMAIN usurpation could as well leak this information to third-parties (e.g., through beacons injected in the response). I'm still uncertain about 2.1: it's a remark that's already contained in the Security Considerations, and the technical requirement for humans is actually mentioned in the introduction: "Such addresses can be used as other domain names would be (e.g., in URLs [RFC3986])" In the Security Considerations, another point can be added to the "compromise list": "The .onion service address the user requests is sent to the DNS (which is what this document addresses)." It is different from "The access protocol is implemented or deployed incorrectly": e.g., Web browsers using DNS-pre-fetching for non-DNS strings. Otherwise this draft addresses my previous concerns, except for the fact it reserves .onion and not .onion AND .exit, which is still debatable. It's a very nice, consistent update from the previous draft. I'd appreciate an explicit mention of the user's privacy somewhere. Thank you for your attention, == hk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJVhqxdXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFQ0IyNkIyRTNDNzEyMTc2OUEzNEM4ODU0 ODA2QzM2M0ZDMTg5ODNEAAoJEEgGw2P8GJg92R8P/13kDLdvyuX/TPpnlSpWFVvS xxNm2cSuErqpwlH1MbnsI8GuQCtZxbq5qmJ+nlVAqe7LlWSNboJu15X8Ve/SFtDk YV4p99XqSmaY16zpwzcozQcDr62ze/Xu2uJ7Mw/WXNz6WrGS79SzL1KpYgvTJgIc z7t9l/gcKxciyTu6/+m7QATakR4NNYD9HqEMQqDyJEqYZX27eh1+Z75APiD1DXS9 7VIxsraVsT23ZymGHRRrOKNA5rThNwCqPukxBScY58wleUpp6fO24LZqSM7GdIfa OgmHWpp3ntv06DYlwm3E65B5GhquVMm+PrkWS/LJ42iymhOiNQ/2mfFboBB2X2US 7mqC1lR+OsxcpYa7KCdOQYJu9PmhopExmjPhnggEnXJ/WU7gk61j0z4N6RTqaLXP 4vOW1yP/P+Ic3fi0pQdOJ/7XyTKqSHqa0biBu1otwH13qhZqQw9HJSUlruJrHo0W 8FkEhzZYraTsZVdCerRKThvHcArIYe+sLM/iFvBwUQEtxkqbkPeaUCxrafib5dkc 3jer23bOnblXlDnF/goLSJZd00EAe/6lgOXKPSx++ie6GBEmLBlDyHSIdC30DbQ/ HrCm0mFZkQxMAav/6mb8Ibyf991BNHoC/vsuyv+OKmJUOwF+p6mkrGjRAXK9xSJm RMSYsKjlrg34BwxE5Fan =kGu0 -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop