-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathdraft-reddy-add-enterprise-00.xml
645 lines (525 loc) · 28.2 KB
/
draft-reddy-add-enterprise-00.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs),
please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use.
(Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space
(using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-reddy-add-enterprise-00" ipr="trust200902">
<front>
<title abbrev="DoH/DoT in Enterprise Networks">DNS-over-HTTPS and
DNS-over-TLS Server Deployment Considerations for Enterprise
Networks</title>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="McAfee">McAfee, Inc.</organization>
<address>
<postal>
<street>Embassy Golf Link Business Park</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560071</code>
<country>India</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<author fullname="Dan Wing" initials="D." surname="Wing">
<organization abbrev="Citrix">Citrix Systems, Inc.</organization>
<address>
<postal>
<street></street>
<country>USA</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date />
<workgroup>ADD</workgroup>
<abstract>
<t>This document discusses DoH/DoT deployment considerations for
Enterprise networks. It particularly sketches the required steps to use
DNS-over-TLS (DoT) and/or DNS-over-HTTPS (DoH) server provided by the
Enterprise network.</t>
<t>One of the goals of the document is to assess to what extent existing
tools can be used to provide such service.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t><xref target="RFC7626"></xref> discusses DNS privacy considerations
in both "on the wire" (Section 2.4 of <xref target="RFC7626"></xref>)
and "in the server" (Section 2.5 of <xref target="RFC7626"></xref>)
contexts. In recent years there has also been an increase in the
availability of "public resolvers" <xref target="RFC8499"></xref> which
DNS clients may be pre-configured to use instead of the default network
resolver for a variety of reasons (e.g., offer a good reachability,
support an encrypted transport, provide a strong privacy policy, (lack
of) filtering).</t>
<t>If public (DoT) <xref target="RFC7858"></xref> or DNS-over-HTTPS
(DoH) <xref target="RFC8484"></xref> servers are used instead of using
local DNS servers, it can adversely impact Enterprise network-based
security. Various network security services are provided by Enterprise
networks to protect endpoints (e.g., laptops, printers, IoT devices),
and to enforce enterprise policies. These policies may be necessary to
protect employees, customers, or citizens. They are not the subject of
this memo.</t>
<t>Enterprise DNS servers in place for these purpose act on DNS requests
originating from endpoints. However, if an endpoint uses public DoT or
DoH servers, the desired enterprise protection and enforcement can be
bypassed.</t>
<t>In order to act on DNS requests from endpoints, network security
services can block DoT traffic by dropping outgoing packets to
destination port 853. Identifying DoH traffic is far more challenging
than DoT traffic. Network security services may try to identify the
well-known DoH resolvers by their domain name, and DNS-over-HTTPS
traffic can be blocked by dropping outgoing packets to these domains.
However, DoH traffic can not be fully identified without acting as a TLS
proxy.</t>
<t>If a network security service blocks access to the public DoH/DoT
server, there are incompatibilities with the privacy profiles discussed
in <xref target="RFC8310"></xref>: <list style="symbols">
<t>If an endpoint has enabled strict privacy profile (Section 5 of
<xref target="RFC8310"></xref>), the endpoint cannot resolve DNS
names.</t>
<t>If an endpoint has enabled opportunistic privacy profile (Section
5 of <xref target="RFC8310"></xref>), the endpoint will either
fallback to an encrypted connection without authenticating the DNS
server provided by the local network or fallback to clear text DNS,
and cannot exchange encrypted DNS messages. The fallback adversely
impacts security and privacy as internal attacks are possible in
Enterprise networks. For example, an internal attacker can modify
the DNS responses to re-direct the client to malicious servers or
pervasively monitor the DNS traffic. The reader may refer to Section
3.2.1 of <xref target="I-D.arkko-farrell-arch-model-t"></xref> for a
discussion on the need for more awareness about attacks from within
closed domains.</t>
</list></t>
<t>To overcome the above threats, this document specifies mechanisms to
configure endpoints to use Enterprise provided DoT and DoH servers, and
bootstrap IoT devices and unmanaged endpoints to discover and
authenticate the DoT and DoH servers provided by the Enterprise
network.</t>
<t>A common usage pattern for an IoT device is for it to "call home" to
a service that resides on the public Internet, where that service is
referenced through a domain name (A or AAAA record). As discussed in
Manufacturer Usage Description Specification <xref target="RFC8520">
</xref>, because these devices tend to require access to very few sites,
all other access should be considered suspect. However, if the query is
not accessible for inspection, it becomes quite difficult for the
infrastructure to suspect anything.</t>
<t>This document focuses on DoH/DoT deployment considerations for
Enterprise networks, DoH/DoT sever discovery and deployment
considerations for home networks are discussed in <xref
target="I-D.btw-add-home"></xref>.</t>
</section>
<section anchor="notation" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"></xref><xref target="RFC8174"></xref> when, and
only when, they appear in all capitals, as shown here.</t>
<t>This document makes use of the terms defined in <xref
target="RFC8499"></xref> and <xref
target="I-D.ietf-dnsop-terminology-ter"></xref>.</t>
<t>'DoH/DoT' refers to DNS-over-HTTPS and/or DNS-over-TLS.</t>
</section>
<section anchor="depl" title="IT-owned devices">
<t>If a device is managed by an enterprise's IT department, the device
can be configured to use Enterprise-provided DoH/DoT servers. This
configuration might be manual or rely upon whatever deployed device
management tool in an Enterprise. For example, customizing Firefox using
Group Policy to use the Enterprise DoH server is discussed in <xref
target="Firefox-Policy"></xref> for Windows and MacOS, and setting
Chrome policies is discussed in <xref target="Chrome-Policy"></xref> and
<xref target="Chrome-DoH"></xref>.</t>
</section>
<section title="IoT Devices">
<t>The solution described in this document is aimed in general at
non-constrained IoT devices (i.e., class 2+ <xref
target="RFC7228"></xref>) operating on a Enterprise network without a
device management tool and require agentless or standardized approaches.
The basis for trust, therefore, is quite different from that of a
laptop, tablet, or smart phone. The following bootstrapping mechanisms
can be used to securely provision IoT devices to use Enterprise provided
DoT and DoH servers:<list style="symbols">
<t>IoT devices supporting Bootstrapping Remote Secure Key
Infrastructures (BRSKI) discussed in <xref
target="I-D.ietf-anima-bootstrapping-keyinfra"></xref> can be
bootstrapped with the Enterprise-provided DoH/DoT servers using the
mechanism discussed in Section 5 of <xref
target="I-D.reddy-add-iot-byod-bootstrap"></xref>.</t>
<t><xref target="RFC8572"></xref> defines a bootstrapping strategy
for enabling devices to securely obtain the required configuration
information with no installer input. DHCP/RA <xref
target="I-D.btw-add-home"></xref> can be used to discover the
DoH/DoT information. If the insecurely discovered DoH/DoT
information is not pre-configured in the IoT device, the client can
validate the Policy Assertion Token signature (Section 7 <xref
target="I-D.reddy-add-server-policy-selection"></xref>) using the
owner certificate (Section 3.2 of <xref
target="RFC8572"></xref>).</t>
<t>When IoT devices connect to a network via EAP methods such as
Tunnel Extensible Authentication Protocol (TEAP) <xref
target="RFC7170"></xref>, it would be possible to extend these
methods to return additional configuration elements as part of
completion of the authentication transaction. One simple approach
would be after successful completion of the EAP method in Phase 2
for a TEAP server to return a new TLV that indicates the local
DoH/DoT information.</t>
<t>Not all of IoT devices support 802.1x supplicant and need an
alternate mechanism to connect to the Enterprise network. To address
this limitation, unique pre-shared keys are created for each IoT
device and WPA-PSK is used <xref target="PSK"></xref>. In other
words, WPA-PSK is used with unique pre-shared keys for different IoT
devices to deal security issues.<list style="symbols">
<t>The IoT device needs to be provisioned with a Pre-Shared Key
(PSK) for mutual authentication. The PSK is only known to the
IoT device and the WPA server. In this case, the bootstrapping
mechanism discussed in Section 4 of <xref
target="I-D.reddy-add-iot-byod-bootstrap"></xref> may be used to
securely bootstrap IoT device with the authentication domain
name (ADN) and DNS server certificate of the local network's
DoH/ DoT server. It uses password-based authenticated key
exchange (PAKE) scheme to authenticate the EST server and fetch
the DoH/DoT server certificate. Note that provisioning massive
number of IoT devices with PSK is not a scalable onboarding
mechanism but will work in Small Office/Home Office (SOHO) and
Small/Medium Enterprise (SME).</t>
</list></t>
<t>If Device Provisioning Protocol (DPP) <xref target="dpp"></xref>
is used, the configurator can securely configure IoT devices with
the local DoH/DoT server by extending the content of the
configuration elements provided by the configurator. Because DPP can
provide a private shared key for use with WPA-PSK, it can be
combined with the above methods.</t>
<t>The OMA LWM2M specification <xref target="oma"></xref> defines an
architecture where a new device (LWM2M client) contacts a
Bootstrap-server which is responsible for "provisioning" essential
bootstrap information. The current standard defines the following
four bootstrapping modes (1) Factory Bootstrap (2) Bootstrap from
Smartcard (3) Client Initiated Bootstrap (4) Server Initiated
Bootstrap. The bootstrap information can be extended to include the
local DoH/DoT server details.</t>
<t>The Open Connectivitiy Foundation <xref target="ocf"></xref>
defines the onboarding process before a device is operational. Once
the onboarding tool and the new device have authenticated and
established secure communication, the onboarding tool can provision
the IoT device with the local DoH/DoT server.</t>
</list></t>
<t>This document does not discuss opportunistic or leap-of-faith
bootstrapping methods, they are susceptible to security issues (e.g.,
IoT device can be configured with the attacker's DoH/DoT server or
disable the use of DoH/DoT).</t>
</section>
<section title="BYOD">
<t>The following mechanisms can be used to bootstrap BYOD (bring your
own device) with the DoH/DoT server used by the Enterprise network:</t>
<t><list style="symbols">
<t>If mobile device management (MDM) <xref
target="MDM-Apple"></xref> is used to secure BYOD, MDM can be used
to configure OS/browser with the Enterprise provided DoH/DoT
server.</t>
<t>If an endpoint is on-boarded, for example, using Over-The-Air
(OTA) enrollment <xref target="OTA"></xref> to provision the device
with a certificate and configuration profile, the configuration
profile can include the authentication domain name (ADN) of the
DoH/DoT server. The OS/Browser can use the configuration profile to
use the Enterprise provided DoH/DoT server. In this case, MDM is not
installed on the device.</t>
<t>If an endpoint uses the credentials (username and password)
provided by the IT admin to mutually authenticate to the Enterprise
WiFi Access Point (e.g., PEAP-MSCHAPv2 <xref target="PEAP"></xref>,
EAP-pwd <xref target="RFC8146"></xref>, EAP-PSK <xref
target="RFC4764"></xref>), the boostrapping mechanism discussed in
Section 4 of <xref target="I-D.reddy-add-iot-byod-bootstrap"></xref>
can be used to securely bootstrap the endpoint with the ADN and DNS
server certificate of the local network's DoH/DoT server. <vspace
blankLines="1" />The DNS client uses PAKE scheme to authenticate the
EST server using the credentials to authenticate to the network. In
this case, the endpoint is neither provisioned with a configuration
profile or MDM is installed on the device. Many users have privacy
and personal data sovereignty concerns with employers installing MDM
on their personal devices; they are concerned that admin can glean
personal information and could control how they use their devices.
Yet when users do not install MDM on their devices, IT admins do not
get visibility into the security posture of those devices.<vspace
blankLines="1" />To overcome this problem, a host agent can
cryptographically attest the security status associated with device,
such as minimum passcode length, biometric login enabled, OS version
etc. This approach is fast gaining traction especially with the
advent of closed OS like <xref target="win10s">Windows 10 in S
mode</xref> or <xref target="Chromebook">Chromebook</xref>, where
applications are sandboxed (e.g., ransomware attack is not possbile)
and applications can only be installed via the OS store.</t>
</list></t>
<t>When attached to the enterprise network yet needing to use the
enterprise's DoH server only to access the internal-only DNS names, the
client device can learn about domains for which the local network's
resolver is authoritative via dnsZones key defined in Section 4.3 of
<xref target="I-D.ietf-intarea-provisioning-domains"></xref> (as other
DoH/DoT servers will be unaware of the internal-only DNS names).</t>
</section>
<section anchor="VPN" title="Roaming Enterprise Users">
<section title="VPN tunnel">
<t>In this Enterprise scenario (Section 1.1.3 of <xref
target="RFC7296"></xref>), a roaming user connects to the Enterprise
network through an VPN tunnel (e.g., IPsec, SSL, Wireguard). The
split-tunnel Virtual Private Network (VPN) configuration allows the
endpoint to access hosts that reside in the Enterprise network <xref
target="RFC8598"></xref> using that tunnel; other traffic not destined
to the Enterprise does not traverse the tunnel. In contrast, a
non-split- tunnel VPN configuration causes all traffic to traverse the
tunnel into the enterprise.</t>
<t>When the VPN tunnel is IPsec, The DoH/DoT server hosted by the
Enterprise network can be securely discovered by the endpoint using
the INTERNAL_ENC_DNS IKEv2 Configuration Payload Attribute Type
defined in <xref target="I-D.btw-add-ipsecme-ike"></xref>. For
split-tunnel VPN configurations, the endpoint uses the
Enterprise-provided DoT/DoH server to resolve internal-only domain
names. For non-split-tunnel VPN configurations, the endpoint uses the
Enterprise-provided DoT/DoH server to resolve both internal and
external domain names.</t>
<t>Other VPN tunnel types have similar configuration capabilities, not
detailed here.</t>
</section>
<section title="Client Authentication">
<t>When not on the local enterprise network (e.g., at home or coffee
shop) yet needing to access the enterprise DoH/DoT server but not
through a tunnel, roaming users can use client authentication to
access the Enterprise provided DoH/DoT server. For example, Firefox
DoH setting accepts user credentials <xref
target="Firefox-TRR"></xref> to authenticate the client to access the
DoH server. The exact client authentication mechanism to authenticate
to the DoH/DoT server is outside the scope of this specification.</t>
</section>
</section>
<section title="Upstream Encryption">
<t>If the Enterprise network is using the local DoH/DoT server
configured as a Forwarding DNS server <xref target="RFC8499"></xref>
relying on the upstream resolver (e.g., at an ISP) to perform recursive
DNS lookups, DNS messages exchanged between the local DoH/DoT server and
recursive resolver MUST be encrypted. If the Enterprise network is using
the local DoH/DoT server configured as a recursive DNS server, DNS
messages exchanges between the recursive resolver and authoritative
servers SHOULD be encrypted to conform to the requirements discussed in
<xref target="I-D.ietf-dprive-phase2-requirements"></xref>. </t>
</section>
<section anchor="Security" title="Security Considerations">
<t>Security and privacy considerations in <xref
target="I-D.reddy-add-iot-byod-bootstrap"></xref> need to be taken into
consideration.</t>
<t>The mechanism defined in <xref
target="I-D.reddy-add-server-policy-selection"></xref> can be used by
the DNS server to communicate its privacy statement URL and filtering
policy to a DNS client. This communication is cryptographically signed
to attest to its authenticity.</t>
<t>The DNS client can validate the signatory (i.e., cryptographically
attested by the Organization hosting the DoH/DoT server) and the user
can review human-readable privacy policy information of the DNS server
and assess whether the DNS server performs DNS-based content
filtering.</t>
<t>If the discovered DoH/DoT server does not meet the privacy preserving
data policy and filtering requirements of the user, the user can
instruct the DNS client to take appropriate actions. For example, the
action can be to use the local DNS server only to access internal-only
DNS names and use another DNS server (adhering with his/her
expectations) for public domains.</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document has no actions for IANA.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Mohamed Boucadair, Sandeep Rao, Vinny Parla, Nancy
Cam-Winget and Eliot Lear for the discussion and comments.</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<references title="Normative References">
<?rfc include='reference.RFC.2119'?>
<?rfc include='reference.RFC.8174'?>
<?rfc include='reference.RFC.8484'?>
<?rfc include='reference.RFC.7858'?>
<?rfc include='reference.RFC.8310'?>
<?rfc include='reference.I-D.reddy-add-iot-byod-bootstrap'?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.8499'?>
<?rfc include='reference.RFC.8598'?>
<?rfc include='reference.RFC.8520'?>
<?rfc include='reference.RFC.7170'?>
<?rfc include='reference.RFC.7626' ?>
<?rfc include='reference.RFC.8572' ?>
<?rfc include='reference.RFC.8146' ?>
<?rfc include='reference.RFC.4764' ?>
<?rfc include='reference.RFC.7296' ?>
<?rfc include='reference.RFC.7228' ?>
<?rfc include='reference.I-D.ietf-anima-bootstrapping-keyinfra'?>
<?rfc include='reference.I-D.reddy-add-server-policy-selection'?>
<?rfc include='reference.I-D.ietf-intarea-provisioning-domains'?>
<?rfc include='reference.I-D.ietf-dprive-phase2-requirements'?>
<?rfc include='reference.I-D.btw-add-ipsecme-ike'?>
<?rfc include='reference.I-D.btw-add-home'?>
<?rfc include='reference.I-D.ietf-dnsop-terminology-ter'?>
<?rfc include='reference.I-D.arkko-farrell-arch-model-t'?>
<reference anchor="Firefox-Policy"
target="https://github.com/mozilla/policy-templates/blob/master/README.md#dnsoverhttps">
<front>
<title>Policy templates for Firefox</title>
<author></author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="Firefox-TRR"
target="https://wiki.mozilla.org/Trusted_Recursive_Resolver">
<front>
<title>Trusted Recursive Resolver</title>
<author></author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="dpp"
target="https://www.wi-fi.org/download.php?file=/sites/default/files/private/Device_Provisioning_Protocol_Specification_v1.1_1.pdf">
<front>
<title>Wi-Fi Device Provisioning Protocol (DPP)</title>
<author fullname="" surname="Specifictaion version 1.1">
<organization>Wi-Fi Alliance</organization>
</author>
<date month="" year="2018" />
</front>
<seriesInfo name="Wi-Fi Alliance" value="" />
</reference>
<reference anchor="oma"
target="http://www.openmobilealliance.org/release/LightweightM2M/V1_1_1-20190617-A/OMA-TS-LightweightM2M_Core-V1_1_1-20190617-A.pdf">
<front>
<title>Lightweight Machine to Machine Technical Specification:
Core</title>
<author fullname="" surname="Approved Version: 1.1.1 - 2019 06 17">
<organization>Open Mobile Alliance</organization>
</author>
<date month="June" year="2019" />
</front>
<seriesInfo name="Open Mobile Alliance" value="" />
</reference>
<reference anchor="ocf"
target="https://openconnectivity.org/specs/OCF_Security_Specification_v1.0.0.pdf">
<front>
<title>OCF Security Specification</title>
<author fullname="" surname="Version: 1.0.0">
<organization>Open Connectivity Foundation</organization>
</author>
<date month="June" year="2017" />
</front>
<seriesInfo name="Open Connectivitiy Foundation" value="" />
</reference>
<reference anchor="Chrome-Policy"
target="https://support.google.com/chrome/a/answer/2657289?hl=en">
<front>
<title>Chrome policies for users or browsers</title>
<author>
<organization>The Unicode Consortium</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="Chrome-DoH"
target="https://www.chromium.org/developers/dns-over-https">
<front>
<title>Chrome DNS over HTTPS (aka DoH)</title>
<author>
<organization>The Unicode Consortium</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="win10s"
target="https://www.microsoft.com/en-us/windows/s-mode">
<front>
<title>Windows 10 in S mode</title>
<author>
<organization>Microsoft</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="Chromebook"
target="https://support.google.com/chromebook/answer/3438631?hl=en">
<front>
<title>Chromebook security</title>
<author>
<organization>Microsoft</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="PSK"
target="https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html">
<front>
<title>Identity PSK Feature Deployment Guide</title>
<author>
<organization>Cisco</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="MDM-Apple"
target="https://developer.apple.com/documentation/devicemanagement">
<front>
<title>Mobile Device Management</title>
<author>
<organization>Apple</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="OTA"
target="https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/OTASecurity/OTASecurity.html">
<front>
<title>Over-the-Air Profile Delivery Concepts</title>
<author>
<organization>Apple</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<reference anchor="PEAP"
target="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-peap/5308642b-90c9-4cc4-beec-fb367325c0f9">
<front>
<title>[MS-PEAP]: Protected Extensible Authentication Protocol
(PEAP)</title>
<author>
<organization>Microsoft</organization>
</author>
<date day="" month="" year="" />
</front>
</reference>
<!---->
</references>
</back>
</rfc>