Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
tirumal reddy <kondtir@gmail.com> Thu, 18 January 2024 06:53 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B123EC14F73E; Wed, 17 Jan 2024 22:53:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKLKT9XIPOoz; Wed, 17 Jan 2024 22:53:54 -0800 (PST)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F218C14F690; Wed, 17 Jan 2024 22:53:54 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a2bea904e72so210557266b.0; Wed, 17 Jan 2024 22:53:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705560832; x=1706165632; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8/oZFQS7MX1cNHNv1Ru+GCifomzUxz7zBIn1FsMTGuU=; b=a6RlOhsVJewhYBT3D5o7F2kpcnZMgH2NjFaBlZHL5Ru5legoyntiMYsH0DMY/sFaem B5yCfXmZ9dneEk8prOecOYX7xO3OHCcVQ1v7hjiEr466rG2dimQxTkxMxfS7IAzis93C CrPQQGzCJkjZu4FM4MZQO8Lpw4iBZu52HjTBSV2Lw7QMPmXqsK6G/pg5hMkI8jlq+NZ8 gVkLElJ4gj+uYRNlaWQlzIpqzFnoA5iTp6Xtc/bw/772Tg99Cvd1FJflYwSUAQy6fl2Z Anf3byee4/7gV6zjhzymkiad32yWW9ZKltI4LLyvC0khLa8et6LaLGmBw8Iqw6YvnYES r8pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705560832; x=1706165632; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8/oZFQS7MX1cNHNv1Ru+GCifomzUxz7zBIn1FsMTGuU=; b=nVrvlmbDRM5GyoZfR9oGAkZ6G0pX7nMrU+/I/HEUIo0W3DyM/AOwabGPk9q4m7TRwZ nF9Z2jR4rRCCofJJ888W7bcLxNjPVv1j4JurINbe0L2RsjBwSJ0nRP9lsTFtCeBbSC2a likv81qsFG00/7jOViZvVPNSrY7kLiS2k8eNV5QLFYHFsVOWBsdEJ1GeA20a3tNTggIO RcH6ao/wJnZTQp1qvDXgM9pS0x84qAtnHV/dTsMeBN2T358yqAkWV7IlDIvmwCWxO2Q6 +ZFzld/6zj2+6BWLrmOYW01KkAeigjA+gNb8UUM1TsTImCfaFIH6ebZToShPYgJm6rMF 6Kpg==
X-Gm-Message-State: AOJu0YzpXryP1R5aY2ZyOps9zZBGH/SYQK4tQTYnP4vufZ96kTOAEil1 P/zV1qqYjxTu/Hca3WQB9WLL/2YsRrZ95eV3zg8W6kip9Vv0Pi2L4mq3cTFHF3Mfc0KVSKO0ZpT z+VK4NvBdPicxUSLSBiTV65EI1Ar7hFyRufs=
X-Google-Smtp-Source: AGHT+IFv0GwTTvEgbIEUFcS1o+h3luIu5IoWsZKYDLdTn+0J/ltkeTc3BncmyAveMswfUeHpNyevBBQdkuWLwy9DGdQ=
X-Received: by 2002:a17:906:1694:b0:a2e:9531:94e with SMTP id s20-20020a170906169400b00a2e9531094emr393288ejd.3.1705560831992; Wed, 17 Jan 2024 22:53:51 -0800 (PST)
MIME-Version: 1.0
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com> <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com> <CABcZeBN7whOrSw+Jn4wxtd35vqmq0O+CoejN+O49MX78X+qFsQ@mail.gmail.com> <CAFpG3geZbLC8swxK_4=GpGsQ-iMJmg=Hq8CqmNgubNbb3P2NEQ@mail.gmail.com> <CABcZeBNTQJCPHTdMxHmmz7MG=zhFY5vfRmpVhbTiKTpJeKAmcg@mail.gmail.com>
In-Reply-To: <CABcZeBNTQJCPHTdMxHmmz7MG=zhFY5vfRmpVhbTiKTpJeKAmcg@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 18 Jan 2024 12:23:14 +0530
Message-ID: <CAFpG3ge4ATrps2-V1mUuZHtwTrphR_yUVyT996eCFke+bwBDSw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <mt@lowentropy.net>, add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: multipart/alternative; boundary="00000000000088a81f060f32d305"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/OXUrmyXhI463wfYpUr0W89PuBQE>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 06:53:55 -0000
On Tue, 16 Jan 2024 at 20:02, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Tue, Jan 16, 2024 at 4:27 AM tirumal reddy <kondtir@gmail.com> wrote: > >> Hi Ekr, >> >> Please see inline >> >> On Thu, 28 Dec 2023 at 02:46, Eric Rescorla <ekr@rtfm.com> wrote: >> >>> Document: draft-reddy-add-delegated-credentials-03.txt >>> >>> I agree with Martin Thomson and others that we shouldn't adopt this >>> document at this time. I have several concerns about this specific >>> technical proposal. >>> >>> - I don't find the arguments about why this can't use ordinary WebPKI >>> certificates persuasive; it certainly seems that there are >>> challenges with issuing a lot of CPE certificates, but those seem >>> like they ought to be solvable. >>> >> >> The issuance of a large number of certificates is one of the problems, >> other challenges include the dependency on the CA to issue large number >> certificates in a timely manner and to promptly replace expired >> certificates. We considered other possible solutions, please see >> https://datatracker.ietf.org/doc/html/draft-reddy-add-delegated-credentials-03#section-6 >> for details. Such a scale has not been discussed in any other use cases >> like CDNs using STAR certificates. >> >> Yes, I read those sections of the draft, but as I said I didn't find > those arguments persuasive and these issues seem like they ought to be > solvable. > Please refer to https://www.ietf.org/archive/id/draft-reddy-add-delegated-credentials-03.html#section-6 for details on the limitations of alternate solutions. We could not identify any better options for hosting an encrypted DNS server on a large number of managed CPEs. It would be helpful to explore any other alternative solutions and discuss their pros/cons. > > > >> >>> - As far as I can tell, the current design allows an attacker wh >>> compromises CPE unit 1 to impersonate CPE unit 2, because they have >>> DCs rooted in the same certificate. >>> >> >> The attacker cannot impersonate CPE unit 2 without knowing the >> credentials used by the endpoints for authenticating to the CPE unit 2. >> > > In this situation, the attacker has already compromised the relevant > network. > The PKI certificate is issued to a service in the infrastructure owned by the entity managing the CPEs. The private key associated with the PKI certificate is used to sign the delegated credentials on each CPE. I don't get how compromising CPE unit 1 would leak the credentials used by the endpoints for authenticating to the CPE unit 2. > > Given that there are likely to >>> be a very large number of each unit, key extraction seems >>> inevitable. That seems like an undesirable set of security >>> properties even if the client gets its opinion about which reference >>> identity to expect from the CPE. It's a more serious problem if >>> either (1) the client gets its opinion in some other way or (2) the >>> client behaves differently if DNS is encrypted. >>> >>> Moreover, as Paul Wouters notes, it's not clear what the security >>> benefit of this proposal is. If the local network is secure, then >>> traffic to the CPE will be encrypted anyway, so it's not clear >>> what transport encryption of DNS is doing for us. On the other >>> hand, if the local network is insecure, then the attacker may >>> be able to impersonate the CPE and we are back to the extraction >>> case above. >>> >> >> The necessity of running encrypted DNS forwarders on the CPE is discussed >> in Section 1.2 of the draft. The DNS client is unaware of the security >> protocols employed to encrypt data from the endpoint to the CPE, and it is >> also uncertain whether the DNS server and CPE are co-located or not. >> > >> >>> >>> More generally, the point of this design seems to be to preserve >>> the ability to have the CPE as an active participant in DNS >>> resolution, rather than just transiting the traffic. While >>> I appreciate that the CPE is commonly used as a control point >>> as described in S 1.1, this actually seems like not a great >>> practice given the notorious insecurity of home routers; rather, >>> it would be better to have name resolution encrypted directly >>> to the ISP resolver itself (and even better if there were some >>> way for the client to determine what that resolver's reference >>> identity was, but one step at a time). >>> >> >> The managed CPEs are hardened devices capable of running network security >> services. Security vendors have been offering security services on CPEs for >> several years, deploying them on millions of devices to secure Home >> networks, SOHO and SMB. For example, you can refer to >> https://www.mcafee.com/support/?locale=en-US&articleId=TS102712&page=shell&shell=article-view for >> details and such solutions are deployed by ISPs. >> > > Yes, I'm aware this configuration is widely deployed. That doesn't make it > a good idea. > Why is it not a good idea to run encrypted DNS forwarder on a hardened CPE ? -Tiru > > > -Ekr > > >> >> Cheers, >> -Tiru >> >> >>> >>> Finally, Michael Richardson writes: >>> >>> > I want to remind people, particularly those who have spoken against the >>> > document that **Adoption does not mean publication**. >>> >>> This may in fact be formally true, but as a practical matter >>> documents acquire inertia once they have been adopted. So, >>> while it's reasonable to adopt a document in an imperfect >>> state under the assumption that those imperfections will >>> be corrected prior to publication, if the objection is that >>> the document is conceptually flawed, then the right answer >>> is not to adopt it at all. >>> >>> -Ekr >>> >>> >>> >>> >>> On Mon, Dec 11, 2023 at 2:09 PM Martin Thomson <mt@lowentropy.net> >>> wrote: >>> >>>> I don't see this as ready for adoption. I have a lot of questions that >>>> the document doesn't answer. >>>> >>>> Why is this on the standards track? It's just say "you could do X", >>>> where X is a standards-track document. Informational is sufficient. >>>> >>>> Given the relative levels of DC adoption, I'm not sure that this is >>>> going to make this deployment model much more accessible, but if OS vendors >>>> are on board, perhaps we'll see this change. >>>> >>>> The deployment model for this is pretty narrow, given that DC is >>>> essentially a license to impersonate. The idea of "managed" devices makes >>>> it plausible at least, but the use of specifically-delegated names is >>>> essential. That means that the central DNS is obligated to support ACME so >>>> that it can obtain a bunch of certificates. (That doesn't mean STAR. >>>> Regular ACME would suffice; see below.) >>>> >>>> The tlsdelegation SvcParam makes no sense to me. If the client has >>>> configuration sufficient to authenticate, that can include whatever >>>> information it needs to find the right endpoint to ask for a delegation. >>>> >>>> There is no delegation protocol defined. Is it the case that this is >>>> intended to be proprietary in the same way that authentication is? >>>> >>>> I don't agree with the premise that ACME doesn't work for the CPE. >>>> That would be a simpler overall system. It doesn't need to be STAR. The >>>> CPE has some means of obtaining a name from its management system. Then it >>>> uses ACME. Maybe it uses the management system to support the challenge >>>> (for the emplacement of DNS records, say). Maybe this part of the protocol >>>> is standardized, maybe not. >>>> >>>> Cheers, >>>> Martin >>>> >>>> On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote: >>>> > The ADD WG has placed draft-reddy-add-delegated-credentials in state >>>> > Call For Adoption By WG Issued (entered by Glenn Deen) >>>> > >>>> > The document is available at >>>> > >>>> https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/ >>>> > >>>> > Comment: >>>> > WG Adoption call will run until December 15 2023 >>>> > >>>> > -- >>>> > Add mailing list >>>> > Add@ietf.org >>>> > https://www.ietf.org/mailman/listinfo/add >>>> >>>> -- >>>> Add mailing list >>>> Add@ietf.org >>>> https://www.ietf.org/mailman/listinfo/add >>>> >>> -- >>> Add mailing list >>> Add@ietf.org >>> https://www.ietf.org/mailman/listinfo/add >>> >>
- [Add] The ADD WG has placed draft-reddy-add-deleg… IETF Secretariat
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Ben Schwartz
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Vittorio Bertola
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Kevin P. Fleming
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Andrew Campling
- Re: [Add] The ADD WG has placed draft-reddy-add-d… mohamed.boucadair
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Jain, Shashank
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Tim Wicinski
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson