On Mon, Aug 20, 2018 at 12:41 PM, Vittorio Bertola < vittorio.bert...@open-xchange.com> wrote:
> Can you substantiate this statement with data / details? Because I only > know cases in which: > a) ISPs filter out content on behalf of the local government due to legal > requirements/court orders; > Yes, although in many cases they are required by law to do it, but I am not required by law to accept it—I can quite legally bypass this feature if I want to. > b) ISPs filter out content on request by the user, e.g. for parental > control; in the UK, ISPs are actually required by law to provide this > service to the user, that can then decide whether to activate it or not and > even what to filter out; > Yes, and in that case wouldn't it be nice to be able to know that you're actually talking to the right resolver? You can't do that with DHCP. > c) ISPs filter out threats such as botnets, compromised websites > distributing malware, etc - this does not entail any freedom of speech > consideration and contributes to everyone's security. > Same question. > In many European countries network operators are selling b)+c) (see for > example https://securenet.vodafone.com/ ) and people are actively buying > the service, so they explicitly want this kind of filtering (and will not > be able to continue getting it if their browser redirects their DNS queries > somewhere else); and if you do not want it, you just don't buy it. As for > a), possibly users do not want it, but it is still mandated by law. > Yup, absolutely. I used to work for Nominum—we made a product that did this, and a lot of people bought it, and I think they were wise to do so. > So I cannot immediately recall cases in which a network operator in Europe > is filtering out things that a user wants and can lawfully access. But you > mention that your network operator is spoofing the DNS and stifling your > freedom of expression, so I guess it is censoring legitimate websites - > this is bad, of course, but can you tell me which operator, and which > websites? It would help my understanding of your use case. > No, it's not bad. It's the service they offer, and it's fine that they offer it. I think it's the right default. It's also fine that I choose to bypass it. > Finally, note that *in your country* it may be your right to use DoH to > tamper with what your network operator is doing, but this may not be true > in other countries. In fact, deploying any technology that circumvents > security measures that network operators are required to implement by law > might be illegal in itself. > Yes, and if we come up with a solution that allows both situations to be securely communicated to the end user device, and allows the end user to make an informed decision about whether or not to use the service with these restrictions in place, I'm okay with that, and I think it's appropriate for the IETF to do it. What I am arguing is that we should actually describe how to do that, and not just hack together a solution without thinking about that. > In the end, the DNS is a very complex policy subject (see the mess that > ICANN is) with lots of stakeholders and conflicting views, and IMHO such a > deep change in its architecture and "ecosystem" would require much more > caution and a much broader discussion going well beyond the IETF. I believe that I too have been arguing for caution. Perhaps we disagree on what the outcome of that cautious approach would be, but we both seem to agree that it's worth thinking about carefully.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
