IETF Logo Mail Archive

Re: [COSE] cose-cbor-encoded-cert in DNS?

Göran Selander <goran.selander@ericsson.com> Mon, 01 August 2022 14:29 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 700CFC14F73B for <cose@ietfa.amsl.com>; Mon, 1 Aug 2022 07:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EVhM2s48S9Un for <cose@ietfa.amsl.com>; Mon, 1 Aug 2022 07:29:08 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2086.outbound.protection.outlook.com [40.107.20.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78E87C14F719 for <cose@ietf.org>; Mon, 1 Aug 2022 07:29:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e5YUW05QGUtk6u16jgbRABtLoEu3bJz8DXgq05u0vk0VS9updF+gcZIEE1/2Tqz0B2UENzavE46IYip5KsQ4Xt9a8hF3Z6Zykb20rBowFc6HbsE57LV0pWOOWxsZatC5FkxdW+EW/FXjuFOqhlXqAklrd4y5mZeBEb1To4an0PCOu6RNfWh0stdUEVnxIKCZvUeydywPmIAaloprAWROFXmhX3kuVgGt8sMB8ajoWJahlYrBTxzizP7FHsuwiL1WNOGwW3M1YhvFFH+E8KG/LzPqtz1mZO/wh4cYouZuma6qzlkWv1N7UBYtuTFz0UIHN4mEKLuc0K3IRg1NyHXfLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kxENQIfstSOBpGn467KXX5qNprfHQaSuyb1/OqtkMdw=; b=IFfrTnibXnhS32rOsyoxxXxA60Qs6pQ4FKI25RkU6y2AMcihnJ4V61WGTnHMMLj/ydfZ7InS+mRFNigkjaIUSyag+K8KAcykVDsLkuUuxvRO3+0YijgXcezZ1JjTpZOY1MTaEt9l7UEGzk498Z0q8E60cPTh/Dh5sElrbdSgnuvXrx7K6eGHxxwR52vBMHVjIzqGzVmhgvxflfdkf85P56CmrKGXGWKNbUN+Fg2TTJ/H/P0qDaz8WD+VMEZNbNkW7KN1wsHZ6NVfEoDDEEss5KLUr5o78A8EOGP1UFVr0Bj4Tb7fje04NKnTJBFS2GwOhomEwTxQ08XAlLIYdSrMBA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kxENQIfstSOBpGn467KXX5qNprfHQaSuyb1/OqtkMdw=; b=B+qLf8JTPfceRpFu0SBd+uio8PzBnb9Is3K0KMIsXdgktUGmmIGk/K0JQk48TZ70MSeGaJuV3fPbprSq6y+Vxx7z9ooZmrV6IwWbfyITmudLkP7SYB51xF296L+FT+MrXuTKs66wP8fHHcVFLTlCylBxtAElJbz187RAMpVlgMM=
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com (2603:10a6:102:24a::19) by AS8PR07MB7317.eurprd07.prod.outlook.com (2603:10a6:20b:258::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.12; Mon, 1 Aug 2022 14:29:05 +0000
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::e047:d5c7:12e1:f04]) by PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::e047:d5c7:12e1:f04%4]) with mapi id 15.20.5504.010; Mon, 1 Aug 2022 14:29:04 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, Orie Steele <orie@transmute.industries>
CC: "cose@ietf.org" <cose@ietf.org>
Thread-Topic: [COSE] cose-cbor-encoded-cert in DNS?
Thread-Index: AQHYpTvd4vkfNG1FNkmYIh08TcqZFK2aDDmAgAAFooCAAAaSyA==
Date: Mon, 01 Aug 2022 14:29:04 +0000
Message-ID: <PAXPR07MB88449F95D80660AE0B12073CF49A9@PAXPR07MB8844.eurprd07.prod.outlook.com>
References: <6232ba5d-6a59-ec35-54bf-41de112ecec2@htt-consult.com> <CAN8C-_+CwkShUivm+Nj0xF3BpsNwF=4=puEosR+vLCbJt5U-Xw@mail.gmail.com> <acbbddc7-67cd-726d-5c5f-03b552ae5461@htt-consult.com>
In-Reply-To: <acbbddc7-67cd-726d-5c5f-03b552ae5461@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 59f2a9c7-8775-4803-7800-08da73ca2fd5
x-ms-traffictypediagnostic: AS8PR07MB7317:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oKpUqYfAdq0wIAN16QWXUto2h8za7N0XPAd1PipPky7SbYm8RQ/VUmhblkX401g+/vonAiuo3sjTSgH1QqNTv3lr+NhodfJwbYlJQvQ5UbZTFKlnO3iNlrhmZDRRzs7Eu363UMm9roMyrfoUg/1ZyWR5qC4ibHcyaoOKwMHz30taTAlme6cuRlfBfqtshUXjrl7VWny1ReIbU4+3LHbR63iCaguKar0npAdShW0DeTil7qIVy0rdYf1iDkVzdIhPJ2xoMznqPCaad9Ri2efWWeKfIaJ6oDKoP2q3mDXbd3YH2ALqgBaX0tP5TKMUozrYuhFPSYU7lmnhEh0q2EreyPDw+ZPlhy29Zd7i65uMmyq4nxFy242FRwH5k1eq9aGlcuuONzcuRw4+j8edgg42qKCiG3zjpJxXE6WKwCL5yTIwYgcY1q56m7vFsGauDOGZqo+E+JbfQqn0dH8cEBzta8xUmU2rwkn8duuaMJ4R27A7/RHOSsdUogaQaABlR+wC3J6VVnJPnDdP3iPH9Mlgi+CFeBHlM9+e0ZX1fjSLP4ScNfD9aQ+OsbskBpfX6bQxpXecQbqtOLHLDGrsUjuwamLvDKx68l2UJHKlrUab8BUBzjlbHr3Eabaqj/tT9ocyO/YwXEhvOvuCyrbKiI1dyljiIf7jV8sKGZZX8XceJwiNIRUvQ4xqOiUtO0+4yF0FneeTUei2M7twfHAbH5B+KAc98ul5kcQqeQEyPdWQYXe12xHoeQlcbC6Dcb22NkapzQ/CwvinRUIlzqRVMf+ybAHw/eaXX0JnbaVrFm9glwp7KMkS0eJDd7VibPX4bErdyqCOUi1AxewOQNKGJri11fFZiuA4jmHuEzHQNyZmCd9N6GMSozWiibdjuLWr6mnRHyWST6jJ4/gAUtc2nLEeuQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR07MB8844.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(39860400002)(376002)(396003)(346002)(136003)(38100700002)(26005)(9686003)(86362001)(82960400001)(122000001)(38070700005)(166002)(186003)(66574015)(83380400001)(52536014)(33656002)(66946007)(66476007)(66556008)(66446008)(4326008)(76116006)(8936002)(91956017)(21615005)(8676002)(55016003)(5660300002)(2906002)(64756008)(478600001)(6506007)(7696005)(71200400001)(53546011)(966005)(41300700001)(110136005)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6teUQV+SzQ+iiaw/mH8NrndDLIJ/L6ucETI/f3xCG5TU7plVLRX2tkUQ3sQEgRTuFxrcNb6EIRM2LWmKm6s5waexOvI9m5WAKBGVQQ/+QLc1J/2Klwjjxrvx4WDzzODLdQ8cDqO4yK0ZlhUKjNSwHXLxn2J51lkNNHu3VdZRcbbVsiTKelJu+fTLXx68ysibNUU7vqw8yZOjGpFuRfoo19ENRuwJX/kb+p2nNXzaufmBU1BQCpIwHIwX7CeZb2a0t5LFpcMr+etnlnjVzzsBNpbHx3H6bfZQuFBBSAfbV0HnAu+gyioWA9Vsi5XpgKYLImjekIrrN/nw6lNvq2ur/edoN1WmfXIaOX69OPHOz8M+jakYZ+M5VLjpQVKsbW2MqJgR+jbZRDRomyGhkfDB24qe0sBA3darrJIE5UbWSGW86J9rgc6IAmFWbgUkGDUW0bD4LfDZFvEbMg/mTlOmPjRCYHjyi1K1uMmnq3ftW0gYwGVAVXOgAF/pXqIW6l4zX1Y9PU7rVSKN9Xx59/mJV/bbh8W0cw7wSyAKI7ffnvOQBjcBjJIgI5XyGGMR4s2UfpsFngE+bvxWcuujWDxXbfHILxmCeO/s6QYlmK1TYNOUqPWXCZbcj9nKHjgvBB36LW7q77QMXzfTECdYBOkRyc5KRG/UKtuFgYIifOTURX1nZZ8A8vvs2v6BIaJ9eVVYhnvuCnPJXu9FFdgoegM7i44yiJMG1aFhszwyqwUUDrU/9MYCiKSD1rlpbkn8OOteslxgjmjnz6AZEXeLQHzZcD8nvNXMH2UXLszzdtb1gLS0lpzkBpIYZGGtBEcYVlPfr5NRHA4kfOyf+2JSA0uECLdM4aWMT/Pt5YqRNLt9gnxGiJrZFNYUvY3Fvv449lc+vhsXNo1Db6wjksO29O/+uKPWaXGjO02WG8EDv6+9i8XW5U92jZ5SE3gzw6621FStUdEA8E0dGQJJBxgbQfoshWaF/ZTloe7+pYUb8qeA8By+3sqB9Ta473aNpCWOimacfelGsSQQixPtLt+xlVu+edBmdnTb0kT2rCuO8wjOFB9csXem7O+Y573j+8d83LaITkST89EmgYw51nXjxxwodIM6PXuPENAlrZiYjkDhBQ5ru5mygZhL0GaEBT/UntAQJFaegjjGsejtyFEMuatVODIvO4TwLn7u3YsUpAkYqgH1tHq6+JTJXw686ErVoXV7cwOy9IZe03fmBE/VWhXD9Fmgaa5CEwrJUWMveo7wBRJ5cfaYiJz6mNmYW3SJeIjKUjh2N7709SBoLTdzOb5GrHIhk1K042dgwdA7QrXGkraynS7AcUhSro32My7j5nCbfjPm68mQgWkMDv22LGx/aZaWud18e9D3Be5Z1122pET668BjRW5wPF+GTbrRzkYspAV/lV2gDspzYvMd1aDk6qnsfoYjQZQXIU6C+VwoMgY+cqS8fdEad5TG9twZF2FyA9oRrvuI1QzjdWoXDtKiRPVPlG0HySOpZldMN8IQoqOq6LvyBMZ0GGcpUg3Ocevmlcm2MDZYqD40v7VwIz0qomKtM8bLHM4ZJdDmyBOAXFibpShbV4m1X7yWKwg8Ds/9/UmW/unBNmyDzIIbgmR9sOsGPAtugmzLbD+5pebvjnc=
Content-Type: multipart/alternative; boundary="_000_PAXPR07MB88449F95D80660AE0B12073CF49A9PAXPR07MB8844eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR07MB8844.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 59f2a9c7-8775-4803-7800-08da73ca2fd5
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2022 14:29:04.8984 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QVRvwxlaeaEE775MXJQKHJ+8R/QFhYD328YFLG483Bm5RtpnXKrMz7fEddkeTWgTCCaDDY+9UNs7lJxMOVq7m4Xf5FuQGIUaQVfJoIUEDdg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7317
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/J8e81BsEWEwvAaD3cj3a7fTcJ-8>
Subject: Re: [COSE] cose-cbor-encoded-cert in DNS?
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2022 14:29:13 -0000

Hi Bob,

> But all this just SCREAMS for CBOR support.

About your original question, I’m not aware of any discussions of storing CBOR encoded X509 in DNS, but considering your setting it does make sense. Perhaps initially for the reversible (type 1), and later down the road the natively signed CBOR (type 0).

Göran


From: COSE <cose-bounces@ietf.org> on behalf of Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Monday, 1 August 2022 at 15:54
To: Orie Steele <orie@transmute.industries>
Cc: cose@ietf.org <cose@ietf.org>
Subject: Re: [COSE] cose-cbor-encoded-cert in DNS?

On 8/1/22 09:33, Orie Steele wrote:
Bob,
Interesting RFCs...

- https://www.iana.org/assignments/cert-rr-types/cert-rr-types.xhtml<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-24d5d9a60908d82f&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fcert-rr-types%2Fcert-rr-types.xhtml>
- https://datatracker.ietf.org/doc/html/rfc6698
- https://www.rfc-editor.org/rfc/rfc4398.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b93db923149bae5e&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc4398.html>

Very much so.  Also 8005 for HIP has its own RR that uses IPSECKEY to represent the public key encoding.


I am also aware or some "DID Methods" that look similar:

- https://danubetech.github.io/did-method-dns/ <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3d3fd437ab736efa&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fdanubetech.github.io%2Fdid-method-dns%2F> (relatively new)
- https://tools.ietf.org/id/draft-mayrhofer-did-dns-03.html (fairly old)

I stuck with what is in DNS RR.  I have not looked into DID; I have my own scheme...


I am also interested in your motives :)

Are there any systems that are deployed today that look like this?

Check out draft-ietf-drip-registries.

It will be getting a big kick after work last week, including likely being split in half, but you can still see our intent.

The DET, which is an Identifier is mapped to an FQDN for DNS lookup.  In this FQDN is the Public Key either, or both available via HIP or TLSA RR.  Of course for TLSA, we have to stuff it into an ASN.1 OID because that is just how it is done...

But also we are putting the HDA's evidence of the UA's DET registration into CERT records using the OID Private because that is the only hammer to get that nail into the RR.  And for OID, we are using my arc from IANA's Enterprise Number.  Eventually we will get a better OID...

But all this just SCREAMS for CBOR support.

Particularly if you want to work within DNS for your stuff here.

Bob




Regards,

OS


On Sun, Jul 31, 2022 at 7:15 PM Robert Moskowitz <rgm-sec@htt-consult.com<mailto:rgm-sec@htt-consult.com>> wrote:
I have really not paid attention over here.  Got other fish to fly for
the most part.  But...

Has there been any discussions of storing these certs in DNS?

Like in TLSA and CERT RR?

Any plans to update these two RFCs: 4398 & 6698?

I have some alterior motives in adding CBOR objects for these RR.

Bob

_______________________________________________
COSE mailing list
COSE@ietf.org<mailto:COSE@ietf.org>
https://www.ietf.org/mailman/listinfo/cose


--
ORIE STEELE
Chief Technical Officer
www.transmute.industries<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a7ff2eb208872658&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=http%3A%2F%2Fwww.transmute.industries%2F>

[https://drive.google.com/a/transmute.industries/uc?id=1hbftCJoB5KdeV_kzj4eeyS28V3zS9d9c&export=download]<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c169100f194b3f01&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.transmute.industries%2F>



_______________________________________________

COSE mailing list

COSE@ietf.org<mailto:COSE@ietf.org>

https://www.ietf.org/mailman/listinfo/cose

v2.23.0 | Report a Bug | By Email