[Cryptography] Apple's iCloud+ "VPN"

[Bill Woodcock]

>> On Sat, 26 Jun 2021, Bill Woodcock wrote:
>> Putting aside all of the rest of your arguments, some of which I very much agree with, and others of which I disagree with to one degree or other, I think you should be advocating, as I am, for implementation of Extended DNS Errors.  A huge part of the problem, from my point of view, is that users are denied knowledge of _why_ the DNS has not answered their query.

> On Jul 7, 2021, at 9:32 AM, Paul Wouters <paul at nohats.ca> wrote:
> if those errors can be used by the user/DNS software to mark these
> answers as "censored" to ask another resource, and thus circumventing
> the block, the courts will blame that on the DNS provider too, and
> would likely want them to stop returning these extended errors.

Hm.  Another post I partly agree with and partly disagree with.  What a court might or might not do in the future should in no way influence the production and promulgation of correct engineering solutions in the standards process.

> That won't help because these errors have no authentication.

That, on the other hand, is a deficiency which had not been obvious to me until you pointed it out, and now is.  If you’re saying that you believe DNS Extended Errors should include a mechanism for the server generating the error to identify itself and sign the error message, then I agree, and in retrospect this seems like an oversight which should be remedied, and remembered for the future.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210707/09f8f1b8/attachment.sig>