Communication of filtering reason and responsible entity, for user consent

[chris-box]

Section 6.2.4 (Network-Based Filtering) says:

Clients that receive indication of filtering requirements SHOULD NOT use any other
resolver for the filtered domains, but treat the network as claiming authority. However,
since this filtering cannot be authenticated, this behavior SHOULD NOT be done
silently without user consent.

This presents two scenarios.

1. The network says filtering is optional.

The client needs to ask the user whether it should use that filtering or not. How is the user to make that decision? I think the protocol needs a way to communicate the reason why this optional filtering is made available. For example a PvD key could say "If you use our DNS service, we'll prevent access to all the malware domains that we know about." There should also be a way to confirm to the user whose DNS service this is, e.g. cryptographic assurance that this is supplied by Large Company X. The name on the TLS certificate is one obvious way to supply that, but it's possible there are better ways, particularly if the entity responsible for filtering could be distinct from the name on the certificate.

2. The network says filtering is required.

The client needs to ask the user whether to proceed on this network or not. In a similar way to the first case, I think the protocol needs a way to communicate some statement from the named responsible entity on why filtering is required.