IETF Logo Mail Archive

Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"

Eric Rescorla <ekr@rtfm.com> Wed, 27 December 2023 21:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54A5C1524BC for <add@ietfa.amsl.com>; Wed, 27 Dec 2023 13:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 581qdjj8O_ln for <add@ietfa.amsl.com>; Wed, 27 Dec 2023 13:16:23 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E73A6C1524B3 for <add@ietf.org>; Wed, 27 Dec 2023 13:16:22 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-dae7cc31151so3592928276.3 for <add@ietf.org>; Wed, 27 Dec 2023 13:16:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1703711782; x=1704316582; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KgJHDoghGaSS36K8dnYV1TyleKU1YT9W40xyhHZBako=; b=xY9CqEcfMnxC+e60XN76PYKLFqYHSSU2SluUE6fC7f8GaI6O9y/l/4zUr3IPcthzkg VMdOZr3Ol7PYE4/ziP0JJ+DiJZZqY4b4XCSOYXxLjB2tlaXOgGErGMhMmZsiVaHDDdAz Ho6+u5YljJPErNMXa9LWtGsUDhrnOG6YUvwYjkvbRff64OSqeKfunP6RZmVzFmQnLLCJ BqFvHvpLnBzXuSP0PcxFNg7eeVyWWpUWsGzKrXpYWhmeZCEPoPfG08ziYpctWe+imJeZ vntExSMpH/Xsjg0VRijAVYvRlss3hTtR4HAc7LyBq2Y2127sBZfojyjDogzYowIZkG/m D1xA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703711782; x=1704316582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KgJHDoghGaSS36K8dnYV1TyleKU1YT9W40xyhHZBako=; b=m/e1ag+FYYwyEBHWGkYbwV4FKZALO7KA9EkqA4MrU64F6WglJwOTIOX/H1pjHrOn14 qv1q93w+cNrxqIoVt6Oqt98FcAX/1yDz9zu53IPF1Vj4153L2dZGMcc+dug4LXO6zvLh N7AXkkXxfPgdL+PAfYxkCfQH34naO2iR1mCe7qGA9zE9T5O1EPIkb7ZEG4/muowZmqXx Ys57CDCvzrXVm1NGMQBplHRNGRIo/2q1ObYXv3pQ3NL7jt+CHIBwcBiRwHNA8GRWQCWW T39Ma0AMRlXN7hgUWk5dP9lCZipZvCkoP78RSMdmiEEesgaq0zOBb7lj7A0hy8/0xo9A r5Kg==
X-Gm-Message-State: AOJu0Yy/bmaFF51dTMFHaRLEd9vVWJ37PUXbCrU2duk1nzNDCEtV+r2Y TbWEpAK5Xi1VLabMT7YrleVlfNK9w3FpIQ3hejuB02Ftxf8KoaTW7N6FpJnl6Jw=
X-Google-Smtp-Source: AGHT+IFbmFhJ9f2hPh/ZaD/f6Q0SbogUaxtBQI7PIlLoNlvDb3mZjBkPDcH/YZ+rF/j/i08lX/XtUz90heqbhLJnAso=
X-Received: by 2002:a25:d2d0:0:b0:dbd:130f:651f with SMTP id j199-20020a25d2d0000000b00dbd130f651fmr4573354ybg.109.1703711781015; Wed, 27 Dec 2023 13:16:21 -0800 (PST)
MIME-Version: 1.0
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com> <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
In-Reply-To: <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Dec 2023 13:15:44 -0800
Message-ID: <CABcZeBN7whOrSw+Jn4wxtd35vqmq0O+CoejN+O49MX78X+qFsQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: multipart/alternative; boundary="00000000000081eefd060d844fa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/DO4hfEGMlhrkB3BImRcZsOAmog8>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Dec 2023 21:16:24 -0000

Document: draft-reddy-add-delegated-credentials-03.txt

I agree with Martin Thomson and others that we shouldn't adopt this
document at this time. I have several concerns about this specific
technical proposal.

- I don't find the arguments about why this can't use ordinary WebPKI
  certificates persuasive; it certainly seems that there are
  challenges with issuing a lot of CPE certificates, but those seem
  like they ought to be solvable.

- As far as I can tell, the current design allows an attacker who
  compromises CPE unit 1 to impersonate CPE unit 2, because they have
  DCs rooted in the same certificate. Given that there are likely to
  be a very large number of each unit, key extraction seems
  inevitable. That seems like an undesirable set of security
  properties even if the client gets its opinion about which reference
  identity to expect from the CPE. It's a more serious problem if
  either (1) the client gets its opinion in some other way or (2) the
  client behaves differently if DNS is encrypted.

Moreover, as Paul Wouters notes, it's not clear what the security
benefit of this proposal is. If the local network is secure, then
traffic to the CPE will be encrypted anyway, so it's not clear
what transport encryption of DNS is doing for us. On the other
hand, if the local network is insecure, then the attacker may
be able to impersonate the CPE and we are back to the extraction
case above.

More generally, the point of this design seems to be to preserve
the ability to have the CPE as an active participant in DNS
resolution, rather than just transiting the traffic. While
I appreciate that the CPE is commonly used as a control point
as described in S 1.1, this actually seems like not a great
practice given the notorious insecurity of home routers; rather,
it would be better to have name resolution encrypted directly
to the ISP resolver itself (and even better if there were some
way for the client to determine what that resolver's reference
identity was, but one step at a time).

Finally, Michael Richardson writes:

> I want to remind people, particularly those who have spoken against the
> document that **Adoption does not mean publication**.

This may in fact be formally true, but as a practical matter
documents acquire inertia once they have been adopted. So,
while it's reasonable to adopt a document in an imperfect
state under the assumption that those imperfections will
be corrected prior to publication, if the objection is that
the document is conceptually flawed, then the right answer
is not to adopt it at all.

-Ekr




On Mon, Dec 11, 2023 at 2:09 PM Martin Thomson <mt@lowentropy.net> wrote:

> I don't see this as ready for adoption.  I have a lot of questions that
> the document doesn't answer.
>
> Why is this on the standards track?  It's just say "you could do X", where
> X is a standards-track document.  Informational is sufficient.
>
> Given the relative levels of DC adoption, I'm not sure that this is going
> to make this deployment model much more accessible, but if OS vendors are
> on board, perhaps we'll see this change.
>
> The deployment model for this is pretty narrow, given that DC is
> essentially a license to impersonate.  The idea of "managed" devices makes
> it plausible at least, but the use of specifically-delegated names is
> essential.  That means that the central DNS is obligated to support ACME so
> that it can obtain a bunch of certificates.  (That doesn't mean STAR.
> Regular ACME would suffice; see below.)
>
> The tlsdelegation SvcParam makes no sense to me.  If the client has
> configuration sufficient to authenticate, that can include whatever
> information it needs to find the right endpoint to ask for a delegation.
>
> There is no delegation protocol defined.  Is it the case that this is
> intended to be proprietary in the same way that authentication is?
>
> I don't agree with the premise that ACME doesn't work for the CPE.  That
> would be a simpler overall system.  It doesn't need to be STAR.  The CPE
> has some means of obtaining a name from its management system.  Then it
> uses ACME.  Maybe it uses the management system to support the challenge
> (for the emplacement of DNS records, say).  Maybe this part of the protocol
> is standardized, maybe not.
>
> Cheers,
> Martin
>
> On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote:
> > The ADD WG has placed draft-reddy-add-delegated-credentials in state
> > Call For Adoption By WG Issued (entered by Glenn Deen)
> >
> > The document is available at
> > https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/
> >
> > Comment:
> > WG Adoption call will run until December 15 2023
> >
> > --
> > Add mailing list
> > Add@ietf.org
> > https://www.ietf.org/mailman/listinfo/add
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email