Re: [Dance] DANCE Architecture draft
Rick van Rein <rick@openfortress.nl> Mon, 14 November 2022 13:01 UTC
Return-Path: <vanrein@vanrein.org>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0DDC152584 for <dance@ietfa.amsl.com>; Mon, 14 Nov 2022 05:01:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.336
X-Spam-Level:
X-Spam-Status: No, score=-2.336 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kpnmail.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhB8dlMJQPYk for <dance@ietfa.amsl.com>; Mon, 14 Nov 2022 05:01:32 -0800 (PST)
Received: from ewsoutbound.kpnmail.nl (ewsoutbound.kpnmail.nl [195.121.94.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BB22C152582 for <dance@ietf.org>; Mon, 14 Nov 2022 05:01:07 -0800 (PST)
X-KPN-MessageId: 64c9bddf-641c-11ed-a5a6-005056abbe64
Received: from smtp.kpnmail.nl (unknown [10.31.155.40]) by ewsoutbound.so.kpn.org (Halon) with ESMTPS id 64c9bddf-641c-11ed-a5a6-005056abbe64; Mon, 14 Nov 2022 14:01:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:message-id:subject:to:from:date; bh=IB9qKKZ8zZQk+Sv3yqxBAqD3Fg5+LiTLKdi8NQVGkZw=; b=ou7FoPqoUW921ccDxZ7Y2x23muAvNjiC8FzYCe6jEtXWAT2pX8wDzOy3D834z+YMiaBpEupdVJJgI g8y8VZj1Ezw0raCGbaBIiA8WAlJWyxKOmYP1H33JqdRZ3NCzCLUgXfzpJYgpNNHh94V81r+YHLuMJD 7RK1p9kCM+yPCgdQ=
X-KPN-MID: 33|tw0Ix5Q1pctCB4lANNEQft91qGDDoQcKPz0iLsJdtlALSfdhYuHoaTAD9SQtJt8 3vLFM0nOLRRGQsnLXfMJkLJsIZaRD7QFtMXFygdA67D8=
X-KPN-VerifiedSender: No
X-CMASSUN: 33|bCUHz4qwvQ8SIL+xKIQ38b2SHkHs3nRtshzR+HZrPoBad1Rpm+WqisB8Y0JAPRS pYDZ+VBW1jo74w+s/o9myfQ==
X-Originating-IP: 77.173.183.203
Received: from fame.vanrein.org (77-173-183-203.fixed.kpn.net [77.173.183.203]) by smtp.xs4all.nl (Halon) with ESMTPSA id 6582e0f2-641c-11ed-9ebc-005056ab7584; Mon, 14 Nov 2022 14:01:04 +0100 (CET)
Received: by fame.vanrein.org (Postfix, from userid 1000) id 19F1C2BD36; Mon, 14 Nov 2022 13:01:04 +0000 (UTC)
Date: Mon, 14 Nov 2022 13:01:03 +0000
From: Rick van Rein <rick@openfortress.nl>
To: dance@ietf.org
Message-ID: <20221114130103.GA1845@openfortress.nl>
Mail-Followup-To: dance@ietf.org
References: <92E290E3-ADDF-4969-8317-CB0E51EBA054@edvina.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <92E290E3-ADDF-4969-8317-CB0E51EBA054@edvina.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/QLlUNdIovDdJXgBxQKGy9jxhevk>
Subject: Re: [Dance] DANCE Architecture draft
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 13:01:39 -0000
Hi,
> My suggestion was to
> - Create a separate “how to dance” document with advice on how to adopt this to various protocols and what needs to be covered in more use-case specific drafts
That sounds like a good idea, and it should be open for later additions if at all possible.
The examples in draft-ietf-dance-client-auth are very loose, and I would argue
that strong prescriptive examples are ideal from the perspective of interop.
> In addition we discussed a more generic “confirming email-style identifiers with Dance” draft and had people in the room willing to start with that. This could potentially apply to authenticating for SMTP/Submission, SIP ua to registrar/proxy and similar use cases.
Yes, gladly. This is what I've always thought when I hear the term
Client DANE (the devices would have been my second, also very useful,
case).
I think the distinction is that this is not a host-wide but a user-specific
form, and its DNS naming could be
[service]._user.[domainname] IN TLSA x x x xxxx
Where Root/Intermediate CA certificates are a useful form because they are
permissive for many protocols.
Wildcards might be used to say things that apply to a plethora of
services,
*._user.[domainname] IN TLSA x x x xxxx
These cover-all would be overridden under DNS rules for more special services,
xmpp._user.[domainname] IN TLSA x x x xxxx
And they could be forbidden under DNS rules for other services, perhaps for
SMTP becauses the mail protocol for users is called "submission" and "smtp"
is reserved for mta2mta,
smtp._user.[domainname] IN TXT "Client DANE wildcard blocked"
Playing with these special kinds also brings up other values for the "x x x"
entries, which I think would be useful. We might also think about the use of
CNAME and DNAME references, which a DNS server normally handles.
> I will try to put up a skeleton for a “how to dance” document on the git repo soon and skeleton for the use cases so I can start cutting things out of architecture and put into those skeletons for further work by the group.
Lovely. I already wrote to a few issues that I might be able to help with.
I would also like to add LDAP, because it is such a potent database, esp.
when the Client Identity is known.
> Any help with this is of course very appreciated.
I intend to keep you happy :)
> During the WG meeting I suggested to do a massive edit of the architecture draft
I have a few suggestions, but please let me know if I missed documentation
(or perhaps am repeating past discussion). Will send text or PRs when
requested.
1. Be explicit about authentication/authn vs. authorization/authz. While
authn is the responsibility of TLS, authz is an application matter. As an
example, the lookup of client names in a list is a very specific example of
authz, and I would rather see it changed into something like "the application
makes an authorization choice". The term "DANE preauthorization" confuses me.
I don't know how authz would apply when a DNS wildcard is used.
2. Comparison of dane_clientid to [a list of] client domains... are you trying
to (a) match the domain part after Client DANE labels [that would be authn] or
(b) match the Client DANE labels [that would be authz] or both [that's mixed]?
Since not all Client DANE labels end with a _device or _service or _user in the
same place it may be possible to do naughty things to any check on them.
3. "DNS records should be validated by the DNS stub resolver, using the DNSSEC protocol."
This is a case where "should" can be written "SHOULD" or "MUST". For more detail,
these lyrics from draft-vanrein-dnstxt-krb1 may help:
<t>Since DNS in general cannot be considered secure, the client MUST validate
DNSSEC and it MUST dismiss any DNS responses that are Insecure, Bogus or
Indeterminate [Section 5 of <xref target="RFC4033"/>]. Only the remaining
Secure responses are to be taken into account. This specification does
not require that the DNS client validates the responses by itself, but a
deployment of _kerberos TXT records SHOULD NOT accept DNS responses from
a trusted validating DNS resolver over untrusted communication channels.</t>
4. On privacy of identity: Hashing a userid does not always help. If it's a
predictable form itl1235123 then iteration is very easy. And because it'd be
a static substitution it wouldn't add dynamicity. You might consider a * for
the client name, and otherwise benefit from TLS 1.3 encryption of the clicert.
5. On DNS scaling: TLS may be slowed down, I am not sure about DTLS. Recurring
DNS queries on the same DNS server may be a hint to delay traffic. Bloom filters
can make such hold-back fairly easy to implement. Question: Is this sufficiently
in the interest of the TLS server operator?
I hope this helps!
-Rick
- [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE Architecture draft Rick van Rein
- Re: [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE user naming Olle E. Johansson
- Re: [Dance] DANCE Architecture draft Michael Richardson
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Tim Wicinski
- Re: [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE user naming Olle E. Johansson
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Michael Richardson