IETF Logo Mail Archive

[Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid

Joey Salazar <joeygsal@gmail.com> Tue, 21 November 2023 18:38 UTC

Return-Path: <joeygsal@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8ACC151997 for <dance@ietfa.amsl.com>; Tue, 21 Nov 2023 10:38:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPHgbi5uQzUe for <dance@ietfa.amsl.com>; Tue, 21 Nov 2023 10:38:27 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAED6C151981 for <dance@ietf.org>; Tue, 21 Nov 2023 10:37:46 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id 2adb3069b0e04-50970c2115eso8493247e87.1 for <dance@ietf.org>; Tue, 21 Nov 2023 10:37:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700591865; x=1701196665; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Rzq+w0Nvbv/whluy8ETqqOdik/5wUS0TKx99YzHoN2s=; b=WCsov3o0tuArT+i3S6YGgGjCpZCDZry8I7XMA3v7gyHOSlmi2ZaA5LJg2UbpmMdEKK F5QX0RUQUSg1rbtANzzcs8XS6PNPjo527Xk4lQwQ1zggSPy0cT37QwY09IjrPgka2GfE RMmOL/bTcdZhuyVdu0Bl8poECeUQQ4yqUZXNy2Wp4m3Fa1KTEMFDT3Fkp4EW3bFrJjOW jEkBFtPDlkQnAxkUT0S2vsvrrWTTil7vcLU567IJK7y69zCz0XdVbva7Ruh/DKsPZiY+ LNnFG8MdlHNQ4KdZ6GoRl9KNNf16HXoXqS/8caFlM86BmVmYoHJ270VIsqePY/Breo4N 1Ulw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700591865; x=1701196665; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Rzq+w0Nvbv/whluy8ETqqOdik/5wUS0TKx99YzHoN2s=; b=jwsUjI2Rl3aJv8G8nuhkuJeY1o1P+tnEjzkf3WxGP8Yj2Ky0poKgMR/vPCm7GBog6w jQK+IWPPMt1LZms1CUwAbmJHuA6EoPZNteetJy8JgXwnIjAl3mGUACbsOWS2Zb5Eov0j ave74JZH6yu6r5cljdqiwEKJYjNMo3xVsaUOx5ZmbgE4ML1dArMj8wcNVAKL9HlECxof C8Potumd8jA+zrl7IdxD+G5UzHMAu6xpb3s9dwHJTlNm/0/jSsDwow/lpB8z9Id5QMoa mwPtP2hDTWgwCxMOfEEO8w1QNH5nf7NhYsK9CuMXblfAUfFeBuufqKu2XbLPX96PdkU8 vW4A==
X-Gm-Message-State: AOJu0YzniMZnnuFIgJMuJWrYewztgCZH7DgDIiOseDglAilxrSSplj+h 43lXrnnM/2MOkyqRnhG/vWby+zCQ1zdtn1ISMmOEwNFh52U=
X-Google-Smtp-Source: AGHT+IGrJmRCY6q9cgehLTxQ7Hbs1VTSl33i1lVGcwU5xjj1FFhGUofjyTxi5J2HQrKW5i545zj/SmC1jA2pIfQo6sY=
X-Received: by 2002:a05:6512:3ba6:b0:50a:764d:7de7 with SMTP id g38-20020a0565123ba600b0050a764d7de7mr78637lfv.41.1700591864576; Tue, 21 Nov 2023 10:37:44 -0800 (PST)
MIME-Version: 1.0
From: Joey Salazar <joeygsal@gmail.com>
Date: Tue, 21 Nov 2023 19:37:28 +0100
Message-ID: <CAEhLrag15y1a7TDiFhfh=TT2mgjMWEUw7x-spnJkmcNHMmPJAw@mail.gmail.com>
To: dance@ietf.org
Cc: Shumon Huque <shuque@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000feff81060aade5c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/VLsoFcZH7hYO0lNc6LFVk5TCbjk>
Subject: [Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 18:38:28 -0000

Hello DANCE,

DANCE met at IETF-118 and discussed the remaining last call issues
with respect to the draft-ietf-dance-client-auth and
draft-ietf-dance-tls-clientid documents.  Below is a summary of the
issues, and the path forward as agreed to during the WG meeting.  The
DANCE chairs would like the WG participants to please review the
conclusions reached and to speak up if there are any participants that
disagree with the proposed paths forward for the issues.

Please submit your thoughts and/or contributions by *EOB December 21st*.
Issues left unaddressed by that time will be discarded.

The youtube video of the session can be found here for those that wish
to watch it: https://www.youtube.com/watch?v=HDKFZAkOyW4

Last call comment discussion: draft-ietf-dance-client-auth
============================================================

Issue: Examples needed
~~~~~~~~~~~~~~~~~~~

  Comment from: Rick van Rein

  - could use examples for:
    - domain names
    - wildcards and DANE-TA

  Potential: Volunteer needed to add an easy example
  Potential: /or/ point to architecture document?
  Potential: /or/ point to use-cases document?

  Conclusion at IETF-118: ask for text volunteers or drop if no volunteers


Issue: Encoding the transport label
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Michael Richardson

  LC comment notes:
  - The transport label encoding may not be needed,
  - both TLS and DTLS are functionally dual-usable already
  - the current draft already says the transport label is not needed

  Potential: leave as is

  Conclusion at IETF-118: leave as is the general document should not
  be that prescriptive


Issue: clarity on the security considerations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Robert Moskowitz

  LC comment notes:
  - Are there privacy concerns because of client identity harvesting in
    DANCE?
  - do we need a better security consideration section description?

  Potential: Mention this consideration in the security consideration

  Conclusion at IETF-118: Bob to offer suggestive texts


Issue: X.509 certificates should be a MUST
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Michael Richardson

  LC comment notes:
  - Why is there an exception that allows for SHOULD when using X.509
    certificate

  Potential: Change it to MUST

  Conclusion at IETF-118: different modes in client authentication,
  but you don't have to.  You can also use raw public key.

  result: leave as is with extra text explaining why

  Shumon to see if further elaboration would be helpful/necessary


Issue: Nits
~~~~~~~~

  Comment from: Michael Richardson

  LC comment notes:
  - Smaller wording suggestions and nits IRT DNSSEC validation,
    distinction between TLS and DTLS, [_service] and device notation,
    references for both RFCs and inactive drafts
  - Message-ID: 763667.1668330590@dyas

  Potential: Accept and act on the nits

  Conclusion at IETF-118: accept suggested text from Michael


Last call comments about draft-ietf-dance-tls-clientid
============================================================

Issue: Needs a check regarding the supported TLS version
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Michael Richardson


  LC comment notes:
  - We have a reference to TLS 1.2 and 1.3 and DTLS 1.3
  - We have a reference to RFC8446 (framing extension)

  Potential: This extension supports both TLS 1.2 [RFC5246] and TLS 1.3
  [RFC8446], and future TLS versions.  DTLS [RFC6347] is also
  supported. The term TLS in this document is used generically to
  describe all protocols.

  Potential: A reference to RFC6066 is not needed (TLS extensions)

  Conclusion at IETF-118: accept this suggested text from the chairs
  above, add additional fuzzy text mentioning that future versions of
  the TLS protocol may require extensions be put in other places
  within TLS initialization messages.

  Conclusion: reference is not needed


Issue: Request for clarity on the ClientName limit definition
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Rick van Rein and Michael Richardson

  LC comment notes:
  - dane_clientid extensions defined as <1..255>
  - TLS encodes names as ascii
  - DNS encodes them as 255 character limit names
    - (with a trailing dot/null indicating the root zone)

  The decode_error alert and a closedown of the connection when using
  empty dane_clientid extensions defined as <1..255>

  - We require ClientName to be non-empty
  - Do we ever need to require an extension with a zero-length
    ClientName?

  Potential: ensure the text properly shows the difference between the
  TLS length required vs the DANE request length required.

  Conclusion at IETF-118: Mark and Shumon will work on the right end
  length for 255 issue, likely extending the potential length to 1024.

  Also: Shumon needs to talk with EKR or someone about a better way to
  write an empty presentation syntax for TLS extensions.


Issue: Use stiffer requirements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Rick van Rein and Michael Richardson

  LC comment notes:
  - More stiff requirements suggested in order to improve
    interoperability and reduce code complexity
  - "When using X.509 certificate authentication, it SHOULD send this
    extension."

  Potential: SHOULD -> MUST

  Conclusion at IETF-118: it's a SHOULD because of mixed-mode cases or
  where it may not be wise to deploy it operationally

  Also: Add a sentence explaining why it's a SHOULD


Issue: The draft SHOULD say what RR content it expects
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Robert Moskowitz

  LC comment notes:
  + Interpretation: DANE has multiple usage/etc models now, should we
    specify which are usable in this context?

  Potential: drop this suggestion as it adds more strictness than is
  necessary.  Disagreement about whether or not this should go into this
  document vs a more specific one if needed.

  Conclusion at IETF-118: leave as is -- future application specific
  profiles might make it more strict, but the strictness is not needed
  in the base document.


Issue: Use case for mixed environments in terms of certificate_authorities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Comment from: Rick van Rein?

  LC comment notes:
  - Use case for mixed environments in terms of certificate_authorities
  - likely in the context of an ownership change

  Potential: ???

  Conclusion at IETF-118: need more information about mixed
  environments before a concrete suggestion could be made.

Your chairs,
Wes and Joey

v2.23.0 | Report a Bug | By Email