IETF Logo Mail Archive

Re: [Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid

Shumon Huque <shuque@gmail.com> Wed, 22 November 2023 15:50 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 673C9C15152E for <dance@ietfa.amsl.com>; Wed, 22 Nov 2023 07:50:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zje_wEw0rsbJ for <dance@ietfa.amsl.com>; Wed, 22 Nov 2023 07:50:13 -0800 (PST)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31DC1C151095 for <dance@ietf.org>; Wed, 22 Nov 2023 07:50:13 -0800 (PST)
Received: by mail-il1-x12b.google.com with SMTP id e9e14a558f8ab-35b2144232bso5981895ab.3 for <dance@ietf.org>; Wed, 22 Nov 2023 07:50:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700668212; x=1701273012; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6K+S5Ly5Zx0HgocUlh3o83RBgbcV5O+OQQtWqTV0vnM=; b=PV07RFTo2KjnAVT7T2OWtvBek2i1umu3x0dUzgGN5tZRmHIdO7caAcSxFWm/UE8qFz Bf+BB5/itgkT4y/AWUSwQUmTNaXu6BLHj+jNXsi80Jc+njEbCqyC95feIcd1pCG5rlWV CHAufhNN/Ket97YF1wHSKQKvcY4tyHIUuzcM6dVvsHupstj4v+2c4iL6DlnwSsk0yE3n 5SCY5+EI1wpcZsPWzbE//YHMY2LLSMJ2qTK1yeKHF6X+HByOjTJ8nFi2fI3KUsrVrx3B JWtzSMuqvN0Lw0JXV3L8uP8Q3ATy50/eMag1U+1BuDOEOow0F33ylgjy6RsEbrYjSCJn 9gag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700668212; x=1701273012; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6K+S5Ly5Zx0HgocUlh3o83RBgbcV5O+OQQtWqTV0vnM=; b=uINEdp5bB42rT/9Btr9ScP0hPRpJQ4xEUVFbWyzru4kUhJRUnJHaobYdf/shYfmZoX hqKoFBUxlJ26mJ6onuQrtN5VrUm/RO+kMEC5ZGzEuI4OmXiueNKWslfBC7xkYwLadCu1 yyM+5zlNaNX9/UUjwxSlirvrd0bJZfneSrGPZZP4fqpA5hBzYAqm+21/dasUgJUIZYXM LJkYJy5vUtYaTqvu3s57r4ALyhPHVaBt5odVdU+ndGDBniRohJpQrBSiZEh7NPhFgSJK UVn86IWrVIhF6hYmr9FrFaKO7jCA4BFHKFxopu5mWwMWPwl/512kspW7ojTo68BBJDva /mJA==
X-Gm-Message-State: AOJu0YyqwqcSyrn+vl/P2vG99sBJEin6swr2veh71YfClpEQvWD2AlQk isVaxAs45QoxFT7L6RAyA7y8aS2UE+focvbj3q8=
X-Google-Smtp-Source: AGHT+IHWea0Wbe5CiQDA1yFhPt7bLzgv+f3A4hco2/cpOL81EJ27VUcb1vyJgylB08lLhJoREKchX+djfcFVf5d8/f4=
X-Received: by 2002:a92:ce87:0:b0:35b:17e9:a81d with SMTP id r7-20020a92ce87000000b0035b17e9a81dmr2499685ilo.5.1700668212028; Wed, 22 Nov 2023 07:50:12 -0800 (PST)
MIME-Version: 1.0
References: <CAEhLrag15y1a7TDiFhfh=TT2mgjMWEUw7x-spnJkmcNHMmPJAw@mail.gmail.com>
In-Reply-To: <CAEhLrag15y1a7TDiFhfh=TT2mgjMWEUw7x-spnJkmcNHMmPJAw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 22 Nov 2023 10:50:00 -0500
Message-ID: <CAHPuVdXTfjuKyskXize+pTmPdwwVme-AUQJeaJgG71rC4CyTHA@mail.gmail.com>
To: Joey Salazar <joeygsal@gmail.com>
Cc: dance@ietf.org, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000a8b0f0060abfacfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/TRrLvm9TfSAV_llJ7uvhPYPqQ0g>
Subject: Re: [Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Nov 2023 15:50:15 -0000

Thanks for the summary Joey,

PS. I'm also starting to work on updates to the draft based on the points
agreed upon during the meeting (which were most of the open issues),
and will incorporate any additional feedback from the list.

Shumon.

On Tue, Nov 21, 2023 at 1:37 PM Joey Salazar <joeygsal@gmail.com> wrote:

> Hello DANCE,
>
> DANCE met at IETF-118 and discussed the remaining last call issues
> with respect to the draft-ietf-dance-client-auth and
> draft-ietf-dance-tls-clientid documents.  Below is a summary of the
> issues, and the path forward as agreed to during the WG meeting.  The
> DANCE chairs would like the WG participants to please review the
> conclusions reached and to speak up if there are any participants that
> disagree with the proposed paths forward for the issues.
>
> Please submit your thoughts and/or contributions by *EOB December 21st*.
> Issues left unaddressed by that time will be discarded.
>
> The youtube video of the session can be found here for those that wish
> to watch it: https://www.youtube.com/watch?v=HDKFZAkOyW4
>
> Last call comment discussion: draft-ietf-dance-client-auth
> ============================================================
>
> Issue: Examples needed
> ~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Rick van Rein
>
>   - could use examples for:
>     - domain names
>     - wildcards and DANE-TA
>
>   Potential: Volunteer needed to add an easy example
>   Potential: /or/ point to architecture document?
>   Potential: /or/ point to use-cases document?
>
>   Conclusion at IETF-118: ask for text volunteers or drop if no volunteers
>
>
> Issue: Encoding the transport label
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Michael Richardson
>
>   LC comment notes:
>   - The transport label encoding may not be needed,
>   - both TLS and DTLS are functionally dual-usable already
>   - the current draft already says the transport label is not needed
>
>   Potential: leave as is
>
>   Conclusion at IETF-118: leave as is the general document should not
>   be that prescriptive
>
>
> Issue: clarity on the security considerations
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Robert Moskowitz
>
>   LC comment notes:
>   - Are there privacy concerns because of client identity harvesting in
>     DANCE?
>   - do we need a better security consideration section description?
>
>   Potential: Mention this consideration in the security consideration
>
>   Conclusion at IETF-118: Bob to offer suggestive texts
>
>
> Issue: X.509 certificates should be a MUST
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Michael Richardson
>
>   LC comment notes:
>   - Why is there an exception that allows for SHOULD when using X.509
>     certificate
>
>   Potential: Change it to MUST
>
>   Conclusion at IETF-118: different modes in client authentication,
>   but you don't have to.  You can also use raw public key.
>
>   result: leave as is with extra text explaining why
>
>   Shumon to see if further elaboration would be helpful/necessary
>
>
> Issue: Nits
> ~~~~~~~~
>
>   Comment from: Michael Richardson
>
>   LC comment notes:
>   - Smaller wording suggestions and nits IRT DNSSEC validation,
>     distinction between TLS and DTLS, [_service] and device notation,
>     references for both RFCs and inactive drafts
>   - Message-ID: 763667.1668330590@dyas
>
>   Potential: Accept and act on the nits
>
>   Conclusion at IETF-118: accept suggested text from Michael
>
>
> Last call comments about draft-ietf-dance-tls-clientid
> ============================================================
>
> Issue: Needs a check regarding the supported TLS version
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Michael Richardson
>
>
>   LC comment notes:
>   - We have a reference to TLS 1.2 and 1.3 and DTLS 1.3
>   - We have a reference to RFC8446 (framing extension)
>
>   Potential: This extension supports both TLS 1.2 [RFC5246] and TLS 1.3
>   [RFC8446], and future TLS versions.  DTLS [RFC6347] is also
>   supported. The term TLS in this document is used generically to
>   describe all protocols.
>
>   Potential: A reference to RFC6066 is not needed (TLS extensions)
>
>   Conclusion at IETF-118: accept this suggested text from the chairs
>   above, add additional fuzzy text mentioning that future versions of
>   the TLS protocol may require extensions be put in other places
>   within TLS initialization messages.
>
>   Conclusion: reference is not needed
>
>
> Issue: Request for clarity on the ClientName limit definition
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Rick van Rein and Michael Richardson
>
>   LC comment notes:
>   - dane_clientid extensions defined as <1..255>
>   - TLS encodes names as ascii
>   - DNS encodes them as 255 character limit names
>     - (with a trailing dot/null indicating the root zone)
>
>   The decode_error alert and a closedown of the connection when using
>   empty dane_clientid extensions defined as <1..255>
>
>   - We require ClientName to be non-empty
>   - Do we ever need to require an extension with a zero-length
>     ClientName?
>
>   Potential: ensure the text properly shows the difference between the
>   TLS length required vs the DANE request length required.
>
>   Conclusion at IETF-118: Mark and Shumon will work on the right end
>   length for 255 issue, likely extending the potential length to 1024.
>
>   Also: Shumon needs to talk with EKR or someone about a better way to
>   write an empty presentation syntax for TLS extensions.
>
>
> Issue: Use stiffer requirements
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Rick van Rein and Michael Richardson
>
>   LC comment notes:
>   - More stiff requirements suggested in order to improve
>     interoperability and reduce code complexity
>   - "When using X.509 certificate authentication, it SHOULD send this
>     extension."
>
>   Potential: SHOULD -> MUST
>
>   Conclusion at IETF-118: it's a SHOULD because of mixed-mode cases or
>   where it may not be wise to deploy it operationally
>
>   Also: Add a sentence explaining why it's a SHOULD
>
>
> Issue: The draft SHOULD say what RR content it expects
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Robert Moskowitz
>
>   LC comment notes:
>   + Interpretation: DANE has multiple usage/etc models now, should we
>     specify which are usable in this context?
>
>   Potential: drop this suggestion as it adds more strictness than is
>   necessary.  Disagreement about whether or not this should go into this
>   document vs a more specific one if needed.
>
>   Conclusion at IETF-118: leave as is -- future application specific
>   profiles might make it more strict, but the strictness is not needed
>   in the base document.
>
>
> Issue: Use case for mixed environments in terms of certificate_authorities
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>   Comment from: Rick van Rein?
>
>   LC comment notes:
>   - Use case for mixed environments in terms of certificate_authorities
>   - likely in the context of an ownership change
>
>   Potential: ???
>
>   Conclusion at IETF-118: need more information about mixed
>   environments before a concrete suggestion could be made.
>
> Your chairs,
> Wes and Joey
>

v2.23.0 | Report a Bug | By Email