IETF Logo Mail Archive

Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"

tirumal reddy <kondtir@gmail.com> Wed, 13 December 2023 08:55 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90BA7C14F60A; Wed, 13 Dec 2023 00:55:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqG7oa0gINZf; Wed, 13 Dec 2023 00:55:47 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B623AC14F603; Wed, 13 Dec 2023 00:55:47 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a1b6524f24fso208012766b.0; Wed, 13 Dec 2023 00:55:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702457746; x=1703062546; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+Lv7bZxtRivmEAiB7h5GYHQlBqodKqaOZAjo+yWpPwg=; b=QeNAgU3nkXLtMS1jMKE16JjjCKDT8kAo2rGxZV7HINkyzcDfsu1uORci9gooNiOG2u 6e/lVojnjWzJN+SORMWf7uVPS+kCUsEdWzYWtG6YNhDkuC2EiADpxWgh/YJKIgM6cjdA qoaJiGWpd9INTZLMGVYKvnJqrcj9CAHyawZ2a+64cPraP6lUNufQc+VeAml6LXIrw4yC kq1zJY8niUsSoAl2DA413u72FDy7OJUQhOkrLLEXLZkKebCvWhti/hVccxh1AIweBhz8 OaY3HLyBoqVEUm8iXRnSWwiZ4PEBid2bNmoexT57AHfHG1jxcWq1V4uugAK7X/FQ01fK ppKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702457746; x=1703062546; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+Lv7bZxtRivmEAiB7h5GYHQlBqodKqaOZAjo+yWpPwg=; b=uzG/ZhiqFM/Cx313MsxJKKGyMWvJaoxnX4f++WbA3hs2DGN24m8HQvWNnPnHLRjwVY pUCCg2T3VoZ6jLf/hWAKwO6VnhkEkN1aPsvgT9KbJpj5LkMh31NKkjZzG4fM6v9lPEGd 0e7wjT+eZY1CxJNHs6Dbv49k40gqLdkt5CnuvRRTLS2ssNGL7+fvT+0FNk2MqcaejppG umSIf2adac+3JraBSzoA2450ov3PSI9wlpEnk39WeSOXbsdBrl0uA22XY3F9XDfkJoLR 7X1iTz9xaLo669ljt1DkqRI7DIsgUXPLENnXDzv8rPssI66D1vZydDOFQi5i7krgI1I+ 8Msg==
X-Gm-Message-State: AOJu0YwHi+uKqqrA1z4WLX7LAKW5QvlT+jKR6BDjer6mDmHHoCsFfa/f 8CiKGlVac3dL7O2YZRaWuXshFBVBpp7O3lLPYk9bEw7uRCs=
X-Google-Smtp-Source: AGHT+IFW20Vv3UsHebFFKA3DM2yAeSNEfhHvWHw4qXcSPCnqrklB1GJbAkvbFeh8O4/K3Ec9OWEzqrMP6R3eiD8T6hs=
X-Received: by 2002:a17:907:c705:b0:9cf:7c60:47b9 with SMTP id ty5-20020a170907c70500b009cf7c6047b9mr7900549ejc.1.1702457745817; Wed, 13 Dec 2023 00:55:45 -0800 (PST)
MIME-Version: 1.0
References: <170209137178.9672.6804848432978591716@ietfa.amsl.com> <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
In-Reply-To: <3b9fa8a5-02e7-408a-8dae-799f2c4e3a8e@betaapp.fastmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 13 Dec 2023 14:25:08 +0530
Message-ID: <CAFpG3gddM6G0eRcqLj0ZpZddbZWPtnsduWBV1zPJW-JLEQZCUw@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: add@ietf.org, draft-reddy-add-delegated-credentials@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002f42be060c605523"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/gmz2K1H2u7yRvHqj3sNRc4hWDmc>
Subject: Re: [Add] The ADD WG has placed draft-reddy-add-delegated-credentials in state "Call For Adoption By WG Issued"
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 08:55:51 -0000

Hi Martin,

Thanks for the feedback. Please see inline.

On Tue, 12 Dec 2023 at 03:39, Martin Thomson <mt@lowentropy.net> wrote:

> I don't see this as ready for adoption.  I have a lot of questions that
> the document doesn't answer.
>
> Why is this on the standards track?  It's just say "you could do X", where
> X is a standards-track document.  Informational is sufficient.
>

The standard track is required because it adds a new SVC parameter key,


>
> Given the relative levels of DC adoption, I'm not sure that this is going
> to make this deployment model much more accessible, but if OS vendors are
> on board, perhaps we'll see this change.
>

Yes, we see support from OS vendors.


>
> The deployment model for this is pretty narrow, given that DC is
> essentially a license to impersonate.  The idea of "managed" devices makes
> it plausible at least, but the use of specifically-delegated names is
> essential.  That means that the central DNS is obligated to support ACME so
> that it can obtain a bunch of certificates.  (That doesn't mean STAR.
> Regular ACME would suffice; see below.)
>
> The tlsdelegation SvcParam makes no sense to me.  If the client has
> configuration sufficient to authenticate, that can include whatever
> information it needs to find the right endpoint to ask for a delegation.
>

The "tlsdelegation" SvcParam is added to signal the client whether the
server is only accessible using DC. If the client does not DC, it will not
attempt to establish an authenticated secure connection with the discovered
Encrypted DNS server, it was discussed in IETF-117 WG meeting, see
https://datatracker.ietf.org/doc/minutes-117-add-202307260000/.


>
> There is no delegation protocol defined.  Is it the case that this is
> intended to be proprietary in the same way that authentication is ?
>

Yes, CPEs are managed using both standard and proprietary protocols.


>
> I don't agree with the premise that ACME doesn't work for the CPE.  That
> would be a simpler overall system.  It doesn't need to be STAR.  The CPE
> has some means of obtaining a name from its management system.  Then it
> uses ACME.  Maybe it uses the management system to support the challenge
> (for the emplacement of DNS records, say).  Maybe this part of the protocol
> is standardized, maybe not.
>

https://datatracker.ietf.org/doc/html/draft-reddy-add-delegated-credentials-03#section-1.3.2
discusses the same mechanism but the challenges with it are discussed in
the second paragraph of this section.

Cheers,
-Tiru


>
> Cheers,
> Martin
>
> On Sat, Dec 9, 2023, at 14:09, IETF Secretariat wrote:
> > The ADD WG has placed draft-reddy-add-delegated-credentials in state
> > Call For Adoption By WG Issued (entered by Glenn Deen)
> >
> > The document is available at
> > https://datatracker.ietf.org/doc/draft-reddy-add-delegated-credentials/
> >
> > Comment:
> > WG Adoption call will run until December 15 2023
> >
> > --
> > Add mailing list
> > Add@ietf.org
> > https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email