IETF Logo Mail Archive

Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"

Martin Thomson <mt@lowentropy.net> Mon, 11 December 2023 22:09 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FCE3C14F5EE; Mon, 11 Dec 2023 14:09:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="AuAHA6nP"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="hk62B4Pm"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VV6NVync7HL; Mon, 11 Dec 2023 14:09:10 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AA12C14F5FB; Mon, 11 Dec 2023 14:09:10 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 46F075C02B2; Mon, 11 Dec 2023 17:09:09 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Mon, 11 Dec 2023 17:09:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1702332549; x=1702418949; bh=XP v4YkYQm/3dEdnINs/KK1XLYu4PncBD+cIQLDFImuQ=; b=AuAHA6nPF1izqWxuHi 0i9sDGzTYoQQ1CGyxboq/6+f7pWT5dJnY/SPm2sepliTgWFbE4ilBJSndg2PfQWL dMnDuVLotyoLtxtD8b5B7qHIUh+3pDUpwb3mJLrInuIQexWNAVhL+cNw8X35Dh/L EXNZ53ZegXy+1CQA02OCOP6s+dAhVx2n0Iklffvp5cW2pkB4SCFNNjSjSUXVX3w+ HbdWQpenT/z2S62Wm1v8mtt/V+WZTgM/0n4M0ogjdkYHNn6Y3ih0PdS0EeYpTbld m3+0nvwKEI1yXqrOu1FeMLydmFxRmwsfybmqq4MOAckafRsvpva+aPWiw5cB6JM3 xfCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1702332549; x=1702418949; bh=XPv4YkYQm/3dE dnINs/KK1XLYu4PncBD+cIQLDFImuQ=; b=hk62B4PmRJTqcFhRKiS6aUsg93PmK mmrOIizq8JdRufGK5bTqMPeMADmdCbegRfIqJsj8ug+wUm1eDNxQOAT9ZjdrMMJu g34UhnNQcMvxbrT2osdi45mGJ95/iEzXUqpd5RRThkQIeQmORI0Zf1hAT5VW9/7P g/SbK7PYIkC2lkIuBjLQ5VBq8JK+CIYAs+0KYbNt6kXVvB1npNoRe5jQ++9V/4/2 ZOnlJrT5mFh8zHVpvAzFXVSESmaTwVaUMr/wDuVQfI0jVR6sDqWHLGpX312hXjjt qcfUPLzF0Z3toGLZuHChDtqne1BvMo5IDXm6w5boS3Ec1B5LUwQguswXA==
X-ME-Sender: <xms:hYh3Zc5Xjctj__vCOLOYvWWhJ0JjyzaD4xXvRHrtpZQ1OwJ2hET0ag> <xme:hYh3Zd6S74Xph0x4eOjkOI1QPRUtTp0pwo3Cin0ihOL4xHY8pcnsceIwpq_Pyxlf9 ydBLRbHvQHVEPYYwmU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudelvddgudeitdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhephfeitddtveeihfejje fgveefuedugffgkeevkeehueeggeelveekveektdfhueeinecuffhomhgrihhnpehivght fhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:hYh3ZbdU_SSt7j-AQRLwEDoAD5AsifgUf65Tki3Ri6FGJ1lKD-aAoA> <xmx:hYh3ZRLokGnE1A8dvONE94FyQl6jwuVtMvIeChrC509s42nyHoh-fw> <xmx:hYh3ZQLADuylTRWo9FyJ8gJQXkZMxvdK6auk7PgIjQVu82azRTKfVQ> <xmx:hYh3ZXkD9Ju_1S9A32V3fIzddimA3E7XseKJDIwWqdHYaN-P2uN72A>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E79AD234007E; Mon, 11 Dec 2023 17:09:08 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1283-g327e3ec917-fm-20231207.002-g327e3ec9
MIME-Version: 1.0
Message-Id: <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
In-Reply-To: <170209137178.9672.6804848432978591716@ietfa.amsl.com>
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com>
Date: Tue, 12 Dec 2023 09:08:47 +1100
From: Martin Thomson <mt@lowentropy.net>
To: add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/fIqC8JYKt4wux3UhU6Gi_9gCmis>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 22:09:14 -0000

I don't see this as ready for adoption.  I have a lot of questions that the document doesn't answer.

Why is this on the standards track?  It's just say "you could do X", where X is a standards-track document.  Informational is sufficient.

Given the relative levels of DC adoption, I'm not sure that this is going to make this deployment model much more accessible, but if OS vendors are on board, perhaps we'll see this change.

The deployment model for this is pretty narrow, given that DC is essentially a license to impersonate.  The idea of "managed" devices makes it plausible at least, but the use of specifically-delegated names is essential.  That means that the central DNS is obligated to support ACME so that it can obtain a bunch of certificates.  (That doesn't mean STAR.  Regular ACME would suffice; see below.)

The tlsdelegation SvcParam makes no sense to me.  If the client has configuration sufficient to authenticate, that can include whatever information it needs to find the right endpoint to ask for a delegation.

There is no delegation protocol defined.  Is it the case that this is intended to be proprietary in the same way that authentication is?

I don't agree with the premise that ACME doesn't work for the CPE.  That would be a simpler overall system.  It doesn't need to be STAR.  The CPE has some means of obtaining a name from its management system.  Then it uses ACME.  Maybe it uses the management system to support the challenge (for the emplacement of DNS records, say).  Maybe this part of the protocol is standardized, maybe not.

Cheers,
Martin

On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote:
> The ADD WG has placed draft-reddy-add-delegated-credentials in state
> Call For Adoption By WG Issued (entered by Glenn Deen)
>
> The document is available at
> https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/
>
> Comment:
> WG Adoption call will run until December 15 2023
>
> -- 
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add

v2.23.0 | Report a Bug | By Email