[Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid
Joey Salazar <joeygsal@gmail.com> Tue, 21 November 2023 18:38 UTC
Return-Path: <joeygsal@gmail.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A8ACC151997 for <dance@ietfa.amsl.com>; Tue, 21 Nov 2023 10:38:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qPHgbi5uQzUe for <dance@ietfa.amsl.com>; Tue, 21 Nov 2023 10:38:27 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAED6C151981 for <dance@ietf.org>; Tue, 21 Nov 2023 10:37:46 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id 2adb3069b0e04-50970c2115eso8493247e87.1 for <dance@ietf.org>; Tue, 21 Nov 2023 10:37:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700591865; x=1701196665; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Rzq+w0Nvbv/whluy8ETqqOdik/5wUS0TKx99YzHoN2s=; b=WCsov3o0tuArT+i3S6YGgGjCpZCDZry8I7XMA3v7gyHOSlmi2ZaA5LJg2UbpmMdEKK F5QX0RUQUSg1rbtANzzcs8XS6PNPjo527Xk4lQwQ1zggSPy0cT37QwY09IjrPgka2GfE RMmOL/bTcdZhuyVdu0Bl8poECeUQQ4yqUZXNy2Wp4m3Fa1KTEMFDT3Fkp4EW3bFrJjOW jEkBFtPDlkQnAxkUT0S2vsvrrWTTil7vcLU567IJK7y69zCz0XdVbva7Ruh/DKsPZiY+ LNnFG8MdlHNQ4KdZ6GoRl9KNNf16HXoXqS/8caFlM86BmVmYoHJ270VIsqePY/Breo4N 1Ulw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700591865; x=1701196665; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Rzq+w0Nvbv/whluy8ETqqOdik/5wUS0TKx99YzHoN2s=; b=jwsUjI2Rl3aJv8G8nuhkuJeY1o1P+tnEjzkf3WxGP8Yj2Ky0poKgMR/vPCm7GBog6w jQK+IWPPMt1LZms1CUwAbmJHuA6EoPZNteetJy8JgXwnIjAl3mGUACbsOWS2Zb5Eov0j ave74JZH6yu6r5cljdqiwEKJYjNMo3xVsaUOx5ZmbgE4ML1dArMj8wcNVAKL9HlECxof C8Potumd8jA+zrl7IdxD+G5UzHMAu6xpb3s9dwHJTlNm/0/jSsDwow/lpB8z9Id5QMoa mwPtP2hDTWgwCxMOfEEO8w1QNH5nf7NhYsK9CuMXblfAUfFeBuufqKu2XbLPX96PdkU8 vW4A==
X-Gm-Message-State: AOJu0YzniMZnnuFIgJMuJWrYewztgCZH7DgDIiOseDglAilxrSSplj+h 43lXrnnM/2MOkyqRnhG/vWby+zCQ1zdtn1ISMmOEwNFh52U=
X-Google-Smtp-Source: AGHT+IGrJmRCY6q9cgehLTxQ7Hbs1VTSl33i1lVGcwU5xjj1FFhGUofjyTxi5J2HQrKW5i545zj/SmC1jA2pIfQo6sY=
X-Received: by 2002:a05:6512:3ba6:b0:50a:764d:7de7 with SMTP id g38-20020a0565123ba600b0050a764d7de7mr78637lfv.41.1700591864576; Tue, 21 Nov 2023 10:37:44 -0800 (PST)
MIME-Version: 1.0
From: Joey Salazar <joeygsal@gmail.com>
Date: Tue, 21 Nov 2023 19:37:28 +0100
Message-ID: <CAEhLrag15y1a7TDiFhfh=TT2mgjMWEUw7x-spnJkmcNHMmPJAw@mail.gmail.com>
To: dance@ietf.org
Cc: Shumon Huque <shuque@gmail.com>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="000000000000feff81060aade5c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/VLsoFcZH7hYO0lNc6LFVk5TCbjk>
Subject: [Dance] WGLC path forward draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 18:38:28 -0000
Hello DANCE, DANCE met at IETF-118 and discussed the remaining last call issues with respect to the draft-ietf-dance-client-auth and draft-ietf-dance-tls-clientid documents. Below is a summary of the issues, and the path forward as agreed to during the WG meeting. The DANCE chairs would like the WG participants to please review the conclusions reached and to speak up if there are any participants that disagree with the proposed paths forward for the issues. Please submit your thoughts and/or contributions by *EOB December 21st*. Issues left unaddressed by that time will be discarded. The youtube video of the session can be found here for those that wish to watch it: https://www.youtube.com/watch?v=HDKFZAkOyW4 Last call comment discussion: draft-ietf-dance-client-auth ============================================================ Issue: Examples needed ~~~~~~~~~~~~~~~~~~~ Comment from: Rick van Rein - could use examples for: - domain names - wildcards and DANE-TA Potential: Volunteer needed to add an easy example Potential: /or/ point to architecture document? Potential: /or/ point to use-cases document? Conclusion at IETF-118: ask for text volunteers or drop if no volunteers Issue: Encoding the transport label ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Michael Richardson LC comment notes: - The transport label encoding may not be needed, - both TLS and DTLS are functionally dual-usable already - the current draft already says the transport label is not needed Potential: leave as is Conclusion at IETF-118: leave as is the general document should not be that prescriptive Issue: clarity on the security considerations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Robert Moskowitz LC comment notes: - Are there privacy concerns because of client identity harvesting in DANCE? - do we need a better security consideration section description? Potential: Mention this consideration in the security consideration Conclusion at IETF-118: Bob to offer suggestive texts Issue: X.509 certificates should be a MUST ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Michael Richardson LC comment notes: - Why is there an exception that allows for SHOULD when using X.509 certificate Potential: Change it to MUST Conclusion at IETF-118: different modes in client authentication, but you don't have to. You can also use raw public key. result: leave as is with extra text explaining why Shumon to see if further elaboration would be helpful/necessary Issue: Nits ~~~~~~~~ Comment from: Michael Richardson LC comment notes: - Smaller wording suggestions and nits IRT DNSSEC validation, distinction between TLS and DTLS, [_service] and device notation, references for both RFCs and inactive drafts - Message-ID: 763667.1668330590@dyas Potential: Accept and act on the nits Conclusion at IETF-118: accept suggested text from Michael Last call comments about draft-ietf-dance-tls-clientid ============================================================ Issue: Needs a check regarding the supported TLS version ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Michael Richardson LC comment notes: - We have a reference to TLS 1.2 and 1.3 and DTLS 1.3 - We have a reference to RFC8446 (framing extension) Potential: This extension supports both TLS 1.2 [RFC5246] and TLS 1.3 [RFC8446], and future TLS versions. DTLS [RFC6347] is also supported. The term TLS in this document is used generically to describe all protocols. Potential: A reference to RFC6066 is not needed (TLS extensions) Conclusion at IETF-118: accept this suggested text from the chairs above, add additional fuzzy text mentioning that future versions of the TLS protocol may require extensions be put in other places within TLS initialization messages. Conclusion: reference is not needed Issue: Request for clarity on the ClientName limit definition ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Rick van Rein and Michael Richardson LC comment notes: - dane_clientid extensions defined as <1..255> - TLS encodes names as ascii - DNS encodes them as 255 character limit names - (with a trailing dot/null indicating the root zone) The decode_error alert and a closedown of the connection when using empty dane_clientid extensions defined as <1..255> - We require ClientName to be non-empty - Do we ever need to require an extension with a zero-length ClientName? Potential: ensure the text properly shows the difference between the TLS length required vs the DANE request length required. Conclusion at IETF-118: Mark and Shumon will work on the right end length for 255 issue, likely extending the potential length to 1024. Also: Shumon needs to talk with EKR or someone about a better way to write an empty presentation syntax for TLS extensions. Issue: Use stiffer requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Rick van Rein and Michael Richardson LC comment notes: - More stiff requirements suggested in order to improve interoperability and reduce code complexity - "When using X.509 certificate authentication, it SHOULD send this extension." Potential: SHOULD -> MUST Conclusion at IETF-118: it's a SHOULD because of mixed-mode cases or where it may not be wise to deploy it operationally Also: Add a sentence explaining why it's a SHOULD Issue: The draft SHOULD say what RR content it expects ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Robert Moskowitz LC comment notes: + Interpretation: DANE has multiple usage/etc models now, should we specify which are usable in this context? Potential: drop this suggestion as it adds more strictness than is necessary. Disagreement about whether or not this should go into this document vs a more specific one if needed. Conclusion at IETF-118: leave as is -- future application specific profiles might make it more strict, but the strictness is not needed in the base document. Issue: Use case for mixed environments in terms of certificate_authorities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Comment from: Rick van Rein? LC comment notes: - Use case for mixed environments in terms of certificate_authorities - likely in the context of an ownership change Potential: ??? Conclusion at IETF-118: need more information about mixed environments before a concrete suggestion could be made. Your chairs, Wes and Joey
- [Dance] WGLC path forward draft-ietf-dance-client… Joey Salazar
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Shumon Huque
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Wes Hardaker
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Shumon Huque
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Shumon Huque
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Wes Hardaker
- Re: [Dance] WGLC path forward draft-ietf-dance-cl… Wes Hardaker