Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
Eric Rescorla <ekr@rtfm.com> Wed, 27 December 2023 21:16 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54A5C1524BC for <add@ietfa.amsl.com>; Wed, 27 Dec 2023 13:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 581qdjj8O_ln for <add@ietfa.amsl.com>; Wed, 27 Dec 2023 13:16:23 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E73A6C1524B3 for <add@ietf.org>; Wed, 27 Dec 2023 13:16:22 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-dae7cc31151so3592928276.3 for <add@ietf.org>; Wed, 27 Dec 2023 13:16:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1703711782; x=1704316582; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KgJHDoghGaSS36K8dnYV1TyleKU1YT9W40xyhHZBako=; b=xY9CqEcfMnxC+e60XN76PYKLFqYHSSU2SluUE6fC7f8GaI6O9y/l/4zUr3IPcthzkg VMdOZr3Ol7PYE4/ziP0JJ+DiJZZqY4b4XCSOYXxLjB2tlaXOgGErGMhMmZsiVaHDDdAz Ho6+u5YljJPErNMXa9LWtGsUDhrnOG6YUvwYjkvbRff64OSqeKfunP6RZmVzFmQnLLCJ BqFvHvpLnBzXuSP0PcxFNg7eeVyWWpUWsGzKrXpYWhmeZCEPoPfG08ziYpctWe+imJeZ vntExSMpH/Xsjg0VRijAVYvRlss3hTtR4HAc7LyBq2Y2127sBZfojyjDogzYowIZkG/m D1xA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703711782; x=1704316582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KgJHDoghGaSS36K8dnYV1TyleKU1YT9W40xyhHZBako=; b=m/e1ag+FYYwyEBHWGkYbwV4FKZALO7KA9EkqA4MrU64F6WglJwOTIOX/H1pjHrOn14 qv1q93w+cNrxqIoVt6Oqt98FcAX/1yDz9zu53IPF1Vj4153L2dZGMcc+dug4LXO6zvLh N7AXkkXxfPgdL+PAfYxkCfQH34naO2iR1mCe7qGA9zE9T5O1EPIkb7ZEG4/muowZmqXx Ys57CDCvzrXVm1NGMQBplHRNGRIo/2q1ObYXv3pQ3NL7jt+CHIBwcBiRwHNA8GRWQCWW T39Ma0AMRlXN7hgUWk5dP9lCZipZvCkoP78RSMdmiEEesgaq0zOBb7lj7A0hy8/0xo9A r5Kg==
X-Gm-Message-State: AOJu0Yy/bmaFF51dTMFHaRLEd9vVWJ37PUXbCrU2duk1nzNDCEtV+r2Y TbWEpAK5Xi1VLabMT7YrleVlfNK9w3FpIQ3hejuB02Ftxf8KoaTW7N6FpJnl6Jw=
X-Google-Smtp-Source: AGHT+IFbmFhJ9f2hPh/ZaD/f6Q0SbogUaxtBQI7PIlLoNlvDb3mZjBkPDcH/YZ+rF/j/i08lX/XtUz90heqbhLJnAso=
X-Received: by 2002:a25:d2d0:0:b0:dbd:130f:651f with SMTP id j199-20020a25d2d0000000b00dbd130f651fmr4573354ybg.109.1703711781015; Wed, 27 Dec 2023 13:16:21 -0800 (PST)
MIME-Version: 1.0
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com> <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
In-Reply-To: <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Dec 2023 13:15:44 -0800
Message-ID: <CABcZeBN7whOrSw+Jn4wxtd35vqmq0O+CoejN+O49MX78X+qFsQ@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: multipart/alternative; boundary="00000000000081eefd060d844fa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/DO4hfEGMlhrkB3BImRcZsOAmog8>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Dec 2023 21:16:24 -0000
Document: draft-reddy-add-delegated-credentials-03.txt I agree with Martin Thomson and others that we shouldn't adopt this document at this time. I have several concerns about this specific technical proposal. - I don't find the arguments about why this can't use ordinary WebPKI certificates persuasive; it certainly seems that there are challenges with issuing a lot of CPE certificates, but those seem like they ought to be solvable. - As far as I can tell, the current design allows an attacker who compromises CPE unit 1 to impersonate CPE unit 2, because they have DCs rooted in the same certificate. Given that there are likely to be a very large number of each unit, key extraction seems inevitable. That seems like an undesirable set of security properties even if the client gets its opinion about which reference identity to expect from the CPE. It's a more serious problem if either (1) the client gets its opinion in some other way or (2) the client behaves differently if DNS is encrypted. Moreover, as Paul Wouters notes, it's not clear what the security benefit of this proposal is. If the local network is secure, then traffic to the CPE will be encrypted anyway, so it's not clear what transport encryption of DNS is doing for us. On the other hand, if the local network is insecure, then the attacker may be able to impersonate the CPE and we are back to the extraction case above. More generally, the point of this design seems to be to preserve the ability to have the CPE as an active participant in DNS resolution, rather than just transiting the traffic. While I appreciate that the CPE is commonly used as a control point as described in S 1.1, this actually seems like not a great practice given the notorious insecurity of home routers; rather, it would be better to have name resolution encrypted directly to the ISP resolver itself (and even better if there were some way for the client to determine what that resolver's reference identity was, but one step at a time). Finally, Michael Richardson writes: > I want to remind people, particularly those who have spoken against the > document that **Adoption does not mean publication**. This may in fact be formally true, but as a practical matter documents acquire inertia once they have been adopted. So, while it's reasonable to adopt a document in an imperfect state under the assumption that those imperfections will be corrected prior to publication, if the objection is that the document is conceptually flawed, then the right answer is not to adopt it at all. -Ekr On Mon, Dec 11, 2023 at 2:09 PM Martin Thomson <mt@lowentropy.net> wrote: > I don't see this as ready for adoption. I have a lot of questions that > the document doesn't answer. > > Why is this on the standards track? It's just say "you could do X", where > X is a standards-track document. Informational is sufficient. > > Given the relative levels of DC adoption, I'm not sure that this is going > to make this deployment model much more accessible, but if OS vendors are > on board, perhaps we'll see this change. > > The deployment model for this is pretty narrow, given that DC is > essentially a license to impersonate. The idea of "managed" devices makes > it plausible at least, but the use of specifically-delegated names is > essential. That means that the central DNS is obligated to support ACME so > that it can obtain a bunch of certificates. (That doesn't mean STAR. > Regular ACME would suffice; see below.) > > The tlsdelegation SvcParam makes no sense to me. If the client has > configuration sufficient to authenticate, that can include whatever > information it needs to find the right endpoint to ask for a delegation. > > There is no delegation protocol defined. Is it the case that this is > intended to be proprietary in the same way that authentication is? > > I don't agree with the premise that ACME doesn't work for the CPE. That > would be a simpler overall system. It doesn't need to be STAR. The CPE > has some means of obtaining a name from its management system. Then it > uses ACME. Maybe it uses the management system to support the challenge > (for the emplacement of DNS records, say). Maybe this part of the protocol > is standardized, maybe not. > > Cheers, > Martin > > On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote: > > The ADD WG has placed draft-reddy-add-delegated-credentials in state > > Call For Adoption By WG Issued (entered by Glenn Deen) > > > > The document is available at > > https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/ > > > > Comment: > > WG Adoption call will run until December 15 2023 > > > > -- > > Add mailing list > > Add@ietf.org > > https://www.ietf.org/mailman/listinfo/add > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] The ADD WG has placed draft-reddy-add-deleg… IETF Secretariat
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Ben Schwartz
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Vittorio Bertola
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Kevin P. Fleming
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Andrew Campling
- Re: [Add] The ADD WG has placed draft-reddy-add-d… mohamed.boucadair
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Jain, Shashank
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Tim Wicinski
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson