[Dance] Comments on draft-ietf-dance-architecture-09
Eric Rescorla <ekr@rtfm.com> Thu, 22 January 2026 01:15 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dance@mail2.ietf.org
Delivered-To: dance@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0C9DFAB3B8BF for <dance@mail2.ietf.org>; Wed, 21 Jan 2026 17:15:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRPi7L2wxoaq for <dance@mail2.ietf.org>; Wed, 21 Jan 2026 17:15:04 -0800 (PST)
Received: from mail-yx1-xb12e.google.com (mail-yx1-xb12e.google.com [IPv6:2607:f8b0:4864:20::b12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 14C2FAB3B8B3 for <dance@ietf.org>; Wed, 21 Jan 2026 17:15:04 -0800 (PST)
Received: by mail-yx1-xb12e.google.com with SMTP id 956f58d0204a3-6446c924f9eso504006d50.1 for <dance@ietf.org>; Wed, 21 Jan 2026 17:15:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769044497; cv=none; d=google.com; s=arc-20240605; b=ZTTRpQPEqGsuiMp/lkXSv0fnmvf5gbgEYnYCi+fKHkDrkYqaaVh9aGk8t0pUFM4OpT E8FNGD6pcw5BWoOWMoJi+2yCULHnILIZcD+omxX4TomZMOlDzptOAO35YFzV889PfC2N YhhKUI1taoar/2NvBIguf9kILf6j1P97noWFSAdX3KpCFPlD65Sw+kL8vPpfl6vpgEJr 30EgSxvOk5BJMMJNH+g8vDESB/MqtnZADPNua5d7ZqIEzZIDAMyf8dXiWuQNTEx77qDi xE0EiFxclki7VvTJwTYzzavFkGO6em3K8LRk0osO2v/XhEeBJcoZ4R4a2c2RZLTA3kGR 9ICQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=NhxtGCfmUpvt4EPWgYX9UWDmWXwqKofaRs+Lpwvzmwo=; fh=+ui5Lt3GoY6PDn2Ik5ENoGGwyu1W5Kctp1t5O57cotk=; b=LUsXbP24N1462IJOgjqjMTigkKgwebqaXjwSkWK3xeahORPABHM92UV6AosnYdKinj GQV8dQeAv2lg/GQAyttij02DRpyiOt2OoRL/xDXbiIQxQfx9Z/3PsTUENtsW6/XDr72C JvERMdnAd+ylTRl58K05X7tLkauTtZOArnALwbq2VKjvJPERi2QVC5F/9RvLa0CEu3yI V59kW7m94MmuBTv7FAszOZIS1W3e81PiF31X9dZgFa1eQCKyu+jBghdsLLD4AUfE4DrZ mxvL8ombQp5+MXReFsz14eNEIyPKuNEk7VBAsjeAD1bK5kY5G9GlGY2TN0LEhNEHrFzN PheA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1769044497; x=1769649297; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NhxtGCfmUpvt4EPWgYX9UWDmWXwqKofaRs+Lpwvzmwo=; b=VxYzQ3d7BCH1FYghHyAw9xXmgjlqHjkgvrjAo/dU0XRbkjXYI2cGxVvW4N3HlsveXA 203ui0+yjq9jkeADs6Oy9KYK3y4LTxK0Ca7lvtlTRYrTY3JkjFkev4gwaYObksrQahnB mdEE934TAppN4/CY6fx5V5JcnMoSjX5A4KP8spLjJZvfghVsA/oNgw1C5eRgAvTTQTV7 39no8I8sa5GbSlcm5JzOgPsl/QnOTpYavFHKOmSBQ0KWZlZ8BmDVIpKmAhR4Uwor7UML v8X2rAqJiZSB3Wcv4Dtg43aYReE1txo0LbRLGrrt772iJgOm4RUvFWVYfScadeKSO1wd /vYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769044497; x=1769649297; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NhxtGCfmUpvt4EPWgYX9UWDmWXwqKofaRs+Lpwvzmwo=; b=i1qs9rS6t8iCQfvwzvujrJusSh88CTBoeXudh4l+tkCqxKLxaRdEPxpuY2WbaOBJiv lRMyErrhbctvfSQnKMqiF0HQWKuK+f+IykzeqLyhU1wCy9Fn5bJbdoMiyL/HWufLmtGZ D6dkJg23QznifzPlrax+cEbc/BfjAXsvArlQSceP7dNepjjgTDBp/7OxQ/+Lm3UAHLbF gI4G7d7nGgqruSxPWQZG3wxRaYg4XTnuzHpMUgZFB0voFGNrWeFk60S1kj9kPxZPwKm8 wxafWxV///z3txfPDKSmCyEDUoaWE2JEzZW9kISIVb7XZiTeX6FM1hV27Qgdpbosvurv qAQg==
X-Forwarded-Encrypted: i=1; AJvYcCVOuzoLAWqjQkYbHGu+y663HMcAe1YMk0/2lkDlMObs5UCEAI4XSKHtuumL2NLgl2sfkahpZQ==@ietf.org
X-Gm-Message-State: AOJu0Yzqkjf5eW4LY8LBmtbSEmyh8KkTYYW0sOW3iSaBleafMKElu9yX vxxA5DbqN7XnjzFad1WlAL8tBdbH0os1SxFvSs3z5uUjvT5eYhRhdaH2U0UsVXi/YY5wiODe+XD 2bZWIh3AtNStDHaS0bg/6gKCH7avyocK/S/HI2QBUfg==
X-Gm-Gg: AZuq6aJa43RjlKaF1QMsV1g0N26WTl5pZc1kfEGP2sQWurY+f8+qPzgeLbxdnss9qgn jCGQqBNyBdqIcAn31xtFFR2OQld5woETO20xz4cpHz3tMIMxyEZbTIgerxufAWHE68u8dmquMoT M50Tf6Gj5KnFh/eoBsexNBEUJskoLb7aQEpxDWdwn4gHkubJ0cIYFumEAcjpQmn7YKZcAjZ7+QK Kr7uadvbn0wRv0s26/Pu0aYC+1b7p3BDcmlN9cpCq8bvonDAOMmsDp83wSuk0uHWahrZ/WyEVIP UOdBUV2WOqI2oGhiKl2UG/wh+Iy0sTQL7TX1T+S5Z7Tu18baZv/LM9b6OOE+ND3CEIwYuw5JU11 7NdHW/cSl1Q==
X-Received: by 2002:a05:690e:151c:b0:649:1d22:6c2f with SMTP id 956f58d0204a3-6491d226daamr15198887d50.47.1769044496889; Wed, 21 Jan 2026 17:14:56 -0800 (PST)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Jan 2026 17:14:21 -0800
X-Gm-Features: AZwV_QiSRaHz3rFaQ3e54DxOoDr7guCj_s_YceBuZiunFHljzWS9Tx7iNVVJuk8
Message-ID: <CABcZeBMXRpp8Fo78ABemYar_8kitj8Q8GfWRi_24T3h9Ck-RLw@mail.gmail.com>
To: IESG <iesg@ietf.org>, Last Call <last-call@ietf.org>, dance@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d4446a0648efc4c7"
Message-ID-Hash: DATX6TAOECT5ZEY5CSBDXDJY4V4QCVSO
X-Message-ID-Hash: DATX6TAOECT5ZEY5CSBDXDJY4V4QCVSO
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Dance] Comments on draft-ietf-dance-architecture-09
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/RLSNjxjwhGCPxdTw-gtLMcOFg0c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Owner: <mailto:dance-owner@ietf.org>
List-Post: <mailto:dance@ietf.org>
List-Subscribe: <mailto:dance-join@ietf.org>
List-Unsubscribe: <mailto:dance-leave@ietf.org>
Document: draft-ietf-dance-architecture-09.txt I am sorry for the very late review on this. It only came to my attention recently when looking at the IESG agenda. I have some detailed comments below, but my overall impression of this architecture is as a solution looking for a problem. The document lists out a very large number of use cases where this technology might be used, but doesn't really show any evidence that the WGs and organizations where those use cases apply actually are interested. This is already a bad sign, but I find it even more concerning that when I look at the use cases I know well (mTLS for HTTPS, WebRTC, SIP), the treatment is very shallow and doesn't seem to reflect an understanding of the real deployment challenges that exist in these environments. I'm very skeptical that this technology would in fact be very useful in any of these cases. It's certainly possible that there are settings in which this technology would be useful, but I don't think this laundry list of potential applications is at all helpful. Instead, this document should be pared down to the specific use cases where WGs or vendors/operators/etc. are actually prepared to deploy something like this. DETAILED COMMENTS S 1. A digital identity, in an abstract sense, possesses at least two features: an identifier (or name), and a means of proving ownership of the identifier. One of the most resilient mechanisms for tying an identifier to a method for proving ownership of the identifier is the digital certificate, issued by a well-run Certification Authority (CA). The CA acts as a mutually trusted third party, a root of trust. Certificate-based identities are limited in scope by the issuing CA, or by the namespace of the application responsible for issuing or validating the identity. Attempting to use organizational PKI outside the organization can be challenging. In order to authenticate a certificate, the certificate’s CA must be trusted. CAs have no way of controlling identifiers in certificates issued by other CAs. Consequently, trusting multiple CAs at the same time can enable entity identifier collisions. Asking an entity to trust your CA implies trust in anything that your CA signs. This is why many organizations operate a private CA, and require users and devices connecting to the organization’s networks or applications to possess certificates issued by the organization’s CA. This whole section up to here feels like kind of a cartoon sketch of the PKI (BTW, a term which is introduced without context). Specifically: - It kind of ignores that a PKI often has a trust hierarchy, so I might not need to trust the CA that issued the EE certificate. - It conflates two different notions (1) issuing identities and (2) attesting to identities. When the subject of a certificate is a domain name, as in the WebPKI, then there is not actually a risk of "identifier collisions", because every domain name is issued to one entity. There is a risk of misissuance, but that has nothing to do with there being multiple CAs. - It's not necessarily true that asking an entity to trust your CA implies trust in anything that your CA signs. The RP could have some sort of external policy. - I don't think that this trust issue is the main reason that organizations operate a private CA; I'm certain it's not the only one as this text suggests. These limitations make the implementation and ongoing maintenance of a PKI costly, and have a chilling effect on the broader adoption of certificate-based IoT device identity and user identity. If certificate-based device and user identity were easier to manage, more broadly trusted, and less operationally expensive, more organizations and applications would be able to use it. The lack of trust between PKI domains has lead to a lack of simple and globally scalable solutions for secure end-to-end inter-domain communication between entities, such as SIP phones, email and chat accounts and IoT devices belonging to different organizations. I don't understand what this text has to do with the text above it at all, which is about *organizational* CAs, but the examples you give actually require universally verifiable identities. Moreover, these specific examples really seem handwavy and out of touch with operational realities. It's really not the case that the reason we don't have secure end-to-end interdomain communication in these areas is because it's hard to get certificates for user-level end entities. To take one example, I know quite well, the reasons we don't have secure end-to-end interdomain instant messaging are (1) that providers don't want it and (2) that the naming structure for names in messaging doesn't map well onto a universal system. There has been a lot written about this in the context of MIMI, for instance [0]. Moreover, while there is really active work in the area of identity for instant messaging, it doesn't look anything like using DNSSEC. I could make similar comments about SIP and email. It may well be the case that there is some problem to be solved here, but this text is not in any way persuasive of that. Sections 2/3. I don't find these particularly helpful, but I'm also going to skip commenting on them. S 4.1. I think this really needs to explain why what you're proposing here is superior to the WebPKI, which is already designed to authenticate the server in the way you are commonly proposing, and which we know is commonly used this way for machine clients. I'm hard pressed to think of any context in which you would want to authenticate users this way, because (1) user identities are typically service specific and (2) people just don't really want to use mTLS for user authentication. As noted in a separate email, I think this whole architecture is wrong: instead of triggering a DNS lookup, you should provide the whole DNSSEC chain in the Certificate message. This is more efficient, provides greater privacy, and obviates the DoS issues you raise here. S 4.1.1. What you describe here seems like it's basically mTLS, except with DANE replacing the ordinary PKI. I can imagine people might want this, but I would observe that your text about how this works with load balancers is kind of besides the point: mTLS doesn't work well with load balancers because usually the endpoint behind the load balancer needs the client's identity, and it's not available at the HTTP layer, so you end up having to reinject it in some new header. That's inconvenient and one reason people don't like mTLS! S 4.1.2 I'm quite skeptical that anyone is going to want to do what is proposed here. You're going to ask Web applications to do some DNS resolution followed by a DNSSEC validation? Ignore security questions (often you want to sandbox your application so it can't make any outgoing requests!), this requires pulling in some external library, etc. etc. S 4.1.3-4.1.7. I don't know much about these cases, so I'm not going to comment. S 4.1.8. This text seems to me to reflect a fairly serious misunderstanding of the situation with both WebRTC and SIP. First, WebRTC doesn't give users identities even within a given domain. Instead, endpoints are just defined by hashes of (typically self-signed) certificates, which are carried in JSEP. Moreover, it doesn't have an interdomain mode at all; interoperability between services is out of scope for WebRTC. However, if someone were to invent some kind of WebRTC federation (e.g., bridging to SIP), it would work just fine with WebRTC as-is, because the fingerprints would just get carried along. Importantly, all that would be required here is authenticating the servers, not the users. It might eventually be attractive to authenticate users, but that's really far down the road in terms of the challenges here. As far as SIP goes, there are actually two classes of identifiers with SIP, e-mail style addresses and E.164 numbers. However, now that pure Internet VoIP communications has been taken over by WebRTC and proprietary apps, most uses of SIP are actually in contexts where the identifiers are E.164 numbers, and we already have a PKI-based solution for that, namely STIR/SHAKEN. There's no good reason to think this would be somehow improved by mapping it onto the DNS and a number of good reasons to think it would not be, starting with the failure of ENUM. I note that you cite johansson-sipcore-dane-sip, but I hardly think a now 11+ year old expired draft is doing much in terms of supporting the viability of this approach. -Ekr [0] https://datatracker.ietf.org/doc/draft-interop-mimi-discovery-requirements/ https://educatedguesswork.org/posts/messaging-e2e/
- [Dance] Comments on draft-ietf-dance-architecture… Eric Rescorla