[Dance] Minutes from the DANCE IETF-123 meeting

Wes Hardaker <wjhns1@hardakers.net> Sat, 26 July 2025 22:09 UTC

From: Wes Hardaker <wjhns1@hardakers.net>
To: dance@ietf.org
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Sat, 26 Jul 2025 15:08:52 -0700
Message-ID: <yblh5yyvc3v.fsf@wx.hardakers.net>
MIME-Version: 1.0
Content-Type: text/plain
Message-ID-Hash: VFE6Q44NHMT4ROF65BGVPYXLNM3NX3AY
Precedence: list
Subject: [Dance] Minutes from the DANCE IETF-123 meeting
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/Lx0cQZu1C6xpJDaAlZbeVc98PEw>

Below are the minutes taken during the DANCE meeting which I've now
published. Let me know if there are any corrections.

HUGE thanks to Rich for taking these notes.

# DANCE

Thursday, 2025-07-24 -- 12:00 local -- 10:00 UTC
Notes: Rich "twisted arm" Salz

## All three about to go to IESG:
- draft-ietf-dance-architecture
- draft-ietf-dance-client-auth
- draft-ietf-dance-tls-clientid

## draft-hallambaker-dns-dance

- Vision: Every host (light bulb, etc) has a DNS name, even if it's not a public name. "Handle Service Provider" new/existing/AV/other to provide this kind of service. HSP is open service, so users can switch providers (for paid case).

- "What if Internet goes down?" Now need client TLS auth. If everything has a DNS name, DANCE is a way to authenticate.

Paul: Roughly "zero" people have their own DNS name. So unlikely to expect my family using "paul.gmail.com" to ever be able to migrate.
PHB: There are ways to address it (see Bluesky practices, GNS free partition, etc). I think the main reason is there's no use for general consumer to get a name. I think this creates demand.
Paul: I got lucky and have easy "nohats" don't think DNS Ncan do that.
Viktor: FB has a billion users, so I'm not skeptical of a billion users in a namespace.

- TLS client auth with reasonable name is the obvious tech choice. (HSP runs small private CA, probably via ACME; each user has their own root). Open questions: how to bind root, cert profile,

Viktor: At TLS yesterday, discussion of draft for client to tell server "ask for my client certificate" You might find it helpful. Browsing with Kerberos can be cleaner than webauth, so look at GSS model.
DKG: I think you're asking for a super-cookie. There are downsides to having completely friction-free identity system.
PHB: Those are valid concerns. If people are going to partition their identity, it can be done once not every time.
Q: Be careful about CA's, since they aren't held to same high standards of WebPKI root trust stores.
PHB: Not expecting existing software to use there
Discussion of X509 nameConstraints, who supported it,
Wes: This is DANE-based WG, so for off-line use how do you use DANE?
Viktor: Local DNS infrastructure
PHB: Cache roots; have a device in the user's house to handle this (e.g., DNS cache)

- Next steps?

Viktor: want more details on protocols for me to understand the problem. If you're really off-line, time sync is very hard and we need time for our protocols.
PHB: I was told DANCE is shutting down, wanted to get expertise. OFf-line/time *is* a big problem.
Paul: A problem with DANCE is putting things into DNS that you don't want to share.
PHB: Split-DNS (a records private; ACME records public while requesting renewal)
Paul: SETTLE mailing list
Jim Reid: Interesting, but not really appropriate for DANCE, lots of things in there. Private CA roots in split-DNS terrifies me. Maybe progress via mailing list.
PHB: I
(Break while I was waiting on the mic line)
Wes: Maybe come back before existing docs are done with IETF last call -- i.e., months.

Paul as Sec AD: This has been very hard to get work in this WG. Need more than just five people interested for it to be believable that it would succeeed.

--
Wes Hardaker
USC/ISI

[Dance] Minutes from the DANCE IETF-123 meeting Wes Hardaker
[Dance] Re: Minutes from the DANCE IETF-123 meeti… Michael Richardson