Re: [COSE] cose-cbor-encoded-cert in DNS?
Robert Moskowitz <rgm-sec@htt-consult.com> Mon, 01 August 2022 15:41 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C42BC14F726 for <cose@ietfa.amsl.com>; Mon, 1 Aug 2022 08:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.099
X-Spam-Level:
X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODiUqYhCxz8X for <cose@ietfa.amsl.com>; Mon, 1 Aug 2022 08:40:59 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D50DFC14F743 for <cose@ietf.org>; Mon, 1 Aug 2022 08:40:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 182BE62569; Mon, 1 Aug 2022 11:39:56 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id d9dM+AyKrfrJ; Mon, 1 Aug 2022 11:39:37 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 27667623C1; Mon, 1 Aug 2022 11:39:36 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------iZ3ScfHBcq9lyKdAAwS9iLSC"
Message-ID: <32c1d3cf-6844-3421-1c71-b3b6299a7550@htt-consult.com>
Date: Mon, 01 Aug 2022 11:40:17 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>, Orie Steele <orie@transmute.industries>
Cc: "cose@ietf.org" <cose@ietf.org>
References: <6232ba5d-6a59-ec35-54bf-41de112ecec2@htt-consult.com> <CAN8C-_+CwkShUivm+Nj0xF3BpsNwF=4=puEosR+vLCbJt5U-Xw@mail.gmail.com> <acbbddc7-67cd-726d-5c5f-03b552ae5461@htt-consult.com> <PAXPR07MB88449F95D80660AE0B12073CF49A9@PAXPR07MB8844.eurprd07.prod.outlook.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <PAXPR07MB88449F95D80660AE0B12073CF49A9@PAXPR07MB8844.eurprd07.prod.outlook.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cose/aP7bzj0tEouQTZW9xMmXVfVoA9c>
Subject: Re: [COSE] cose-cbor-encoded-cert in DNS?
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2022 15:41:03 -0000
On 8/1/22 10:29, Göran Selander wrote: > > Hi Bob, > > > But all this just SCREAMS for CBOR support. > > About your original question, I’m not aware of any discussions of > storing CBOR encoded X509in DNS, but considering your setting it does > make sense. Perhaps initially for the reversible (type 1), and later > down the road the natively signed CBOR (type 0). > And something like OID Private for CBOR Attestations and Evidence structures. Why stick it on a string which happens to be an OID becuase that is the only option? > Göran > > *From: *COSE <cose-bounces@ietf.org> on behalf of Robert Moskowitz > <rgm-sec@htt-consult.com> > *Date: *Monday, 1 August 2022 at 15:54 > *To: *Orie Steele <orie@transmute.industries> > *Cc: *cose@ietf.org <cose@ietf.org> > *Subject: *Re: [COSE] cose-cbor-encoded-cert in DNS? > > On 8/1/22 09:33, Orie Steele wrote: > > Bob, > > Interesting RFCs... > > > - > https://www.iana.org/assignments/cert-rr-types/cert-rr-types.xhtml > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-24d5d9a60908d82f&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fcert-rr-types%2Fcert-rr-types.xhtml> > - https://datatracker.ietf.org/doc/html/rfc6698 > <https://datatracker.ietf.org/doc/html/rfc6698> > - https://www.rfc-editor.org/rfc/rfc4398.html > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-b93db923149bae5e&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc4398.html> > > > Very much so. Also 8005 for HIP has its own RR that uses IPSECKEY to > represent the public key encoding. > > > I am also aware or some "DID Methods" that look similar: > > - https://danubetech.github.io/did-method-dns/ > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3d3fd437ab736efa&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fdanubetech.github.io%2Fdid-method-dns%2F>(relatively > new) > - https://tools.ietf.org/id/draft-mayrhofer-did-dns-03.html > <https://tools.ietf.org/id/draft-mayrhofer-did-dns-03.html>(fairly > old) > > > I stuck with what is in DNS RR. I have not looked into DID; I have my > own scheme... > > > I am also interested in your motives :) > > Are there any systems that are deployed today that look like this? > > > Check out draft-ietf-drip-registries. > > It will be getting a big kick after work last week, including likely > being split in half, but you can still see our intent. > > The DET, which is an Identifier is mapped to an FQDN for DNS lookup. > In this FQDN is the Public Key either, or both available via HIP or > TLSA RR. Of course for TLSA, we have to stuff it into an ASN.1 OID > because that is just how it is done... > > But also we are putting the HDA's evidence of the UA's DET > registration into CERT records using the OID Private because that is > the only hammer to get that nail into the RR. And for OID, we are > using my arc from IANA's Enterprise Number. Eventually we will get a > better OID... > > But all this just SCREAMS for CBOR support. > > Particularly if you want to work within DNS for your stuff here. > > Bob > > > > > Regards, > > OS > > On Sun, Jul 31, 2022 at 7:15 PM Robert Moskowitz > <rgm-sec@htt-consult.com <mailto:rgm-sec@htt-consult.com>> wrote: > > I have really not paid attention over here. Got other fish to > fly for > the most part. But... > > Has there been any discussions of storing these certs in DNS? > > Like in TLSA and CERT RR? > > Any plans to update these two RFCs: 4398 & 6698? > > I have some alterior motives in adding CBOR objects for these RR. > > Bob > > _______________________________________________ > COSE mailing list > COSE@ietf.org <mailto:COSE@ietf.org> > https://www.ietf.org/mailman/listinfo/cose > <https://www.ietf.org/mailman/listinfo/cose> > > > -- > > *ORIE STEELE* > > Chief Technical Officer > > www.transmute.industries > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a7ff2eb208872658&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=http%3A%2F%2Fwww.transmute.industries%2F> > > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-c169100f194b3f01&q=1&e=d5a277d2-e58d-448a-a771-0c222822db93&u=https%3A%2F%2Fwww.transmute.industries%2F> > > > > _______________________________________________ > > COSE mailing list > > COSE@ietf.org > > https://www.ietf.org/mailman/listinfo/cose > > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose
- [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Orie Steele
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Göran Selander
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Carsten Bormann
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Carsten Bormann
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Carsten Bormann
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz
- Re: [COSE] cose-cbor-encoded-cert in DNS? Carsten Bormann
- Re: [COSE] cose-cbor-encoded-cert in DNS? Robert Moskowitz