Re: [Dance] draft-ietf-dance-client-auth-01 sec 8
Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 05 May 2023 14:30 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDFEC13AE28 for <dance@ietfa.amsl.com>; Fri, 5 May 2023 07:30:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJYR8zb-RHW0 for <dance@ietfa.amsl.com>; Fri, 5 May 2023 07:30:53 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18483C13AE33 for <dance@ietf.org>; Fri, 5 May 2023 07:30:53 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id DA3C96267D; Fri, 5 May 2023 10:30:28 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id n01GQmXvEwkm; Fri, 5 May 2023 10:30:21 -0400 (EDT)
Received: from [192.168.160.29] (unknown [192.168.160.29]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id AADC660944; Fri, 5 May 2023 10:30:18 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------pVCa2fj4aOd0Ru1iEmeqcmET"
Message-ID: <6d891160-247e-27ad-1a2b-01b124c1e290@htt-consult.com>
Date: Fri, 05 May 2023 10:30:38 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Shumon Huque <shuque@gmail.com>
Cc: dance@ietf.org
References: <5cbfe2ef-6582-c0b7-181a-fb2fbdb521e1@htt-consult.com> <CAHPuVdX6fZy8qESjLwvdALp5zVVwaXDq_uhUYRQmdAFbQTTyjA@mail.gmail.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <CAHPuVdX6fZy8qESjLwvdALp5zVVwaXDq_uhUYRQmdAFbQTTyjA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/EBc67eIva2txba3kKGLMDrt54ps>
Subject: Re: [Dance] draft-ietf-dance-client-auth-01 sec 8
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 14:30:57 -0000
Shumon, In DRIP, there is no plan to mandate X.509 certificates behind the keypair forming the DETs (see rfc 9374). There will be some optional X.509 defined at some point. The focus right now is on the DNS that will provide access to the SPKI for the keys used in DRIP. This DNS will provide for both TLSA and HIP support. There is also a RATS-style Endorsement of the DET/PK that will also be in DNS (for starters a CERT RR with private OID, perhaps a new RR or new type for TLSA). Thus YES it is DNS for the SPKI for the client as well as the server. Of course in some cases like Detect And Avoid (DAA) who is on first is open to events in the sky. In Network Remote ID (see draft-moskowitz-secure-nrid-c2) the client/server roles are clear. And since the SPKI in TLSA will be available, hashing it makes no sense. On 5/4/23 22:26, Shumon Huque wrote: > On Thu, May 4, 2023 at 9:50 AM Robert Moskowitz > <rgm-sec@htt-consult.com> wrote: > > Raw Public Keys > > Should Matching Type Field of '0' be included here that then it is > > 3 1 0 (SPKI) > > > Robert, > > I don't see a specific reason to restrict raw public keys to only > matching-type 0, unless your application is also using the DNS > to discover the client public keys. > > Can you elaborate on your rationale? > > Since I am using EdDSA25519, the SPKI is 44 bytes. > > > I guess, matching type 2 (SHA512) makes less sense in that case since > the data field part of the TLSA record will be larger than that. > > Shumon. > >
- [Dance] draft-ietf-dance-client-auth-01 sec 8 Robert Moskowitz
- Re: [Dance] draft-ietf-dance-client-auth-01 sec 8 Shumon Huque
- Re: [Dance] draft-ietf-dance-client-auth-01 sec 8 Robert Moskowitz