Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
Eric Rescorla <ekr@rtfm.com> Tue, 16 January 2024 15:00 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3F13C31A616 for <add@ietfa.amsl.com>; Tue, 16 Jan 2024 07:00:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SWYJNFE0SpI for <add@ietfa.amsl.com>; Tue, 16 Jan 2024 07:00:33 -0800 (PST)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B96C5AA3B8 for <add@ietf.org>; Tue, 16 Jan 2024 06:32:44 -0800 (PST)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-5f70c085d64so82322337b3.1 for <add@ietf.org>; Tue, 16 Jan 2024 06:32:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1705415564; x=1706020364; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2E59r5rYXuRSAK9CEBMuUfJALqOgnULizxPJPL1IyrE=; b=ahu3uhMrv+Nm8Oyu1RzW2G/EUdVZTJEZR1jP1UedOK3HEfgKRNa2m57EwniGdDkyoM pmAiq3g5di0Ydn3HpP4u2V6EC4tjLeksMdBi39SDeEkU8Dz+IC7zJomiuIVr7Yk0Y9fa 78HDAh+DcVo8Iv+HHGrDo0ZHYxsxXUypZ44EFPB9+2AD8QVr9MzaxAeW0i737E4hbEUf HUbZ4BHOTjY4hBnepi1xjx+vGhZtr9lpbbvHfwjmLYjjXiHM8TErNzMS0DLE9EZa3C/v Fcgk7fhJkeAmj1Jo0gUimmxs+1bRzPjoEHcTvZ39Ro3sPZb49kgZQk7IJ+BULuUHE+6d rzxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705415564; x=1706020364; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2E59r5rYXuRSAK9CEBMuUfJALqOgnULizxPJPL1IyrE=; b=jYmchnwVVVanZw8JPmoW7WwJW+vWtGCn/ToSD1tje3BGUunWU32vrLSXxdvU/NAdSa WB5g9UD2Aanoqe4gvuQ8H6vU3aZ7rtU6U0L4QP6gRTAPPsvQkvmDsZQgt6870JICkNai v0UFvqrEeZVwtePvYdbRJDuCk2NmZh9+khTCzspo5RLYXnDkZK+iYPCXe7lPNFZHxL+u 6qikbnQgftB5ExDa967UGmr5iiIMZSrJMD9Y3tRZSmX5KjFVgV24S+bWABqKT/Y3Z1W3 1z4M9AIKhmD1uH67fVCAD9vN36PeXS2Mz5wGCSasbrZgMECGjVQHiAXpspr9/QR1Xd3N bV9w==
X-Gm-Message-State: AOJu0Yy+ggVyuACAnFw8HrJtuXe2i9NWN0hJROSrAQ0N3DTebMpuW28p IMrOjc1mUNGbX5Fz7RUtF5D6Gl5kMhUpCAxFB0T9w8lyAmO9NG7y2XOioy/Q
X-Google-Smtp-Source: AGHT+IEBUWbncEEPN7xqPzkU/AFqH17vtKZ7Z1APt0wWzncmGparCXMLLVsV2Xk4Y05MuT8lwZ35MtI0DdWKI9VTwPM=
X-Received: by 2002:a05:6902:1408:b0:dbd:4c4d:240d with SMTP id z8-20020a056902140800b00dbd4c4d240dmr4475221ybu.59.1705415563771; Tue, 16 Jan 2024 06:32:43 -0800 (PST)
MIME-Version: 1.0
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com> <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com> <CABcZeBN7whOrSw+Jn4wxtd35vqmq0O+CoejN+O49MX78X+qFsQ@mail.gmail.com> <CAFpG3geZbLC8swxK_4=GpGsQ-iMJmg=Hq8CqmNgubNbb3P2NEQ@mail.gmail.com>
In-Reply-To: <CAFpG3geZbLC8swxK_4=GpGsQ-iMJmg=Hq8CqmNgubNbb3P2NEQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 16 Jan 2024 06:32:07 -0800
Message-ID: <CABcZeBNTQJCPHTdMxHmmz7MG=zhFY5vfRmpVhbTiKTpJeKAmcg@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: multipart/alternative; boundary="000000000000df94ca060f11006f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/YZy1zTxqxlIP6P5qZg0aOuZXU7w>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2024 15:00:35 -0000
On Tue, Jan 16, 2024 at 4:27 AM tirumal reddy <kondtir@gmail.com> wrote: > Hi Ekr, > > Please see inline > > On Thu, 28 Dec 2023 at 02:46, Eric Rescorla <ekr@rtfm.com> wrote: > >> Document: draft-reddy-add-delegated-credentials-03.txt >> >> I agree with Martin Thomson and others that we shouldn't adopt this >> document at this time. I have several concerns about this specific >> technical proposal. >> >> - I don't find the arguments about why this can't use ordinary WebPKI >> certificates persuasive; it certainly seems that there are >> challenges with issuing a lot of CPE certificates, but those seem >> like they ought to be solvable. >> > > The issuance of a large number of certificates is one of the problems, > other challenges include the dependency on the CA to issue large number > certificates in a timely manner and to promptly replace expired > certificates. We considered other possible solutions, please see > https://datatracker.ietf.org/doc/html/draft-reddy-add-delegated-credentials-03#section-6 > for details. Such a scale has not been discussed in any other use cases > like CDNs using STAR certificates. > > Yes, I read those sections of the draft, but as I said I didn't find those arguments persuasive and these issues seem like they ought to be solvable. > >> - As far as I can tell, the current design allows an attacker wh >> compromises CPE unit 1 to impersonate CPE unit 2, because they have >> DCs rooted in the same certificate. >> > > The attacker cannot impersonate CPE unit 2 without knowing the credentials > used by the endpoints for authenticating to the CPE unit 2. > In this situation, the attacker has already compromised the relevant network. Given that there are likely to >> be a very large number of each unit, key extraction seems >> inevitable. That seems like an undesirable set of security >> properties even if the client gets its opinion about which reference >> identity to expect from the CPE. It's a more serious problem if >> either (1) the client gets its opinion in some other way or (2) the >> client behaves differently if DNS is encrypted. >> >> Moreover, as Paul Wouters notes, it's not clear what the security >> benefit of this proposal is. If the local network is secure, then >> traffic to the CPE will be encrypted anyway, so it's not clear >> what transport encryption of DNS is doing for us. On the other >> hand, if the local network is insecure, then the attacker may >> be able to impersonate the CPE and we are back to the extraction >> case above. >> > > The necessity of running encrypted DNS forwarders on the CPE is discussed > in Section 1.2 of the draft. The DNS client is unaware of the security > protocols employed to encrypt data from the endpoint to the CPE, and it is > also uncertain whether the DNS server and CPE are co-located or not. > > >> >> More generally, the point of this design seems to be to preserve >> the ability to have the CPE as an active participant in DNS >> resolution, rather than just transiting the traffic. While >> I appreciate that the CPE is commonly used as a control point >> as described in S 1.1, this actually seems like not a great >> practice given the notorious insecurity of home routers; rather, >> it would be better to have name resolution encrypted directly >> to the ISP resolver itself (and even better if there were some >> way for the client to determine what that resolver's reference >> identity was, but one step at a time). >> > > The managed CPEs are hardened devices capable of running network security > services. Security vendors have been offering security services on CPEs for > several years, deploying them on millions of devices to secure Home > networks, SOHO and SMB. For example, you can refer to > https://www.mcafee.com/support/?locale=en-US&articleId=TS102712&page=shell&shell=article-view for > details and such solutions are deployed by ISPs. > Yes, I'm aware this configuration is widely deployed. That doesn't make it a good idea. -Ekr > > Cheers, > -Tiru > > >> >> Finally, Michael Richardson writes: >> >> > I want to remind people, particularly those who have spoken against the >> > document that **Adoption does not mean publication**. >> >> This may in fact be formally true, but as a practical matter >> documents acquire inertia once they have been adopted. So, >> while it's reasonable to adopt a document in an imperfect >> state under the assumption that those imperfections will >> be corrected prior to publication, if the objection is that >> the document is conceptually flawed, then the right answer >> is not to adopt it at all. >> >> -Ekr >> >> >> >> >> On Mon, Dec 11, 2023 at 2:09 PM Martin Thomson <mt@lowentropy.net> wrote: >> >>> I don't see this as ready for adoption. I have a lot of questions that >>> the document doesn't answer. >>> >>> Why is this on the standards track? It's just say "you could do X", >>> where X is a standards-track document. Informational is sufficient. >>> >>> Given the relative levels of DC adoption, I'm not sure that this is >>> going to make this deployment model much more accessible, but if OS vendors >>> are on board, perhaps we'll see this change. >>> >>> The deployment model for this is pretty narrow, given that DC is >>> essentially a license to impersonate. The idea of "managed" devices makes >>> it plausible at least, but the use of specifically-delegated names is >>> essential. That means that the central DNS is obligated to support ACME so >>> that it can obtain a bunch of certificates. (That doesn't mean STAR. >>> Regular ACME would suffice; see below.) >>> >>> The tlsdelegation SvcParam makes no sense to me. If the client has >>> configuration sufficient to authenticate, that can include whatever >>> information it needs to find the right endpoint to ask for a delegation. >>> >>> There is no delegation protocol defined. Is it the case that this is >>> intended to be proprietary in the same way that authentication is? >>> >>> I don't agree with the premise that ACME doesn't work for the CPE. That >>> would be a simpler overall system. It doesn't need to be STAR. The CPE >>> has some means of obtaining a name from its management system. Then it >>> uses ACME. Maybe it uses the management system to support the challenge >>> (for the emplacement of DNS records, say). Maybe this part of the protocol >>> is standardized, maybe not. >>> >>> Cheers, >>> Martin >>> >>> On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote: >>> > The ADD WG has placed draft-reddy-add-delegated-credentials in state >>> > Call For Adoption By WG Issued (entered by Glenn Deen) >>> > >>> > The document is available at >>> > >>> https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/ >>> > >>> > Comment: >>> > WG Adoption call will run until December 15 2023 >>> > >>> > -- >>> > Add mailing list >>> > Add@ietf.org >>> > https://www.ietf.org/mailman/listinfo/add >>> >>> -- >>> Add mailing list >>> Add@ietf.org >>> https://www.ietf.org/mailman/listinfo/add >>> >> -- >> Add mailing list >> Add@ietf.org >> https://www.ietf.org/mailman/listinfo/add >> >
- [Add] The ADD WG has placed draft-reddy-add-deleg… IETF Secretariat
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Ben Schwartz
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Vittorio Bertola
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Martin Thomson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Kevin P. Fleming
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Tommy Jensen
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Andrew Campling
- Re: [Add] The ADD WG has placed draft-reddy-add-d… mohamed.boucadair
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Jain, Shashank
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Stephen Farrell
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Tim Wicinski
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Paul Wouters
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Eric Rescorla
- Re: [Add] The ADD WG has placed draft-reddy-add-d… tirumal reddy
- Re: [Add] The ADD WG has placed draft-reddy-add-d… Michael Richardson
- Re: [Add] [EXTERNAL] Re: The ADD WG has placed dr… Michael Richardson