In the below commentary, there are some use cases which are not being
included ....
On 2019-03-12 12:56 p.m., Christian Huitema wrote:
On 3/12/2019 11:35 AM, Paul Vixie wrote:
if someone is concerned that some of the web sites
reachable through some CDN are dangerous...
Paul, who is this someone? How do they decide? What does dangerous mean?
These questions are very much behind the tension we see today. And the
answers are not as black and white as "this is my network, I get to decide".
There are enterprise networks. There are home networks. There are some
socially organized networks. All seeking protection for their users, or
for themselves, or both. And sometimes/many-times, there has to be
'some-one' who can define some level of protection for the collection of
users.
DoH is almost like a trojan. Secret queries can be made to the outside
world. For the 'protector' of the infrastructure, the job then becomes
more difficult to perform.
Are there security personnel included in these conversations?
For example, users routinely delegate the filtering decision to some
kind of security software running on their device, often with support
from some cloud based service. They are making an explicit decision, and
often use menu options to decide what type of site is OK or not --
adults would probably not subscribe to parental control services. There
is a market for these products, they compete based on reputation, ease
of use, etc.
This could be a legitimate scenario. But what if users are inside the
domain of enterprise/home/organization/social, they would need to
delegate their security to those who are maintaining that 'network'.
But when the users can build their own DoH 'tunnels' and hide that
traffic amongst other https traffic, security can be harder to
enforce/manage/supervise/maintain/forensically-identify.
You are saying that whoever happens to control part of the network path
is entitled to override the user choices and impose their own. Really?
I would say, yes.
As Stephane wrote, that may be legit in some circumstances, but much
more questionable in others, such as a hotel Wi-Fi attempting to decide
what sites I could or could not access. It really is a tussle.
Yes, a tussle. There are many use cases.
The 'power of the individual' vs the 'will of the people'? [does not
totally properly convey the concept, but close enough]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
