IETF Logo Mail Archive

Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries

Dick Brooks <dick@reliableenergyanalytics.com> Fri, 09 June 2023 15:14 UTC

Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F0DC1522AF; Fri, 9 Jun 2023 08:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="WIRxfLIc"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="GUsdDE/+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byal5d7fFdC7; Fri, 9 Jun 2023 08:14:41 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F93FC14CE24; Fri, 9 Jun 2023 08:14:40 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id ACA015C0163; Fri, 9 Jun 2023 11:14:37 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Fri, 09 Jun 2023 11:14:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:cc:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:reply-to:sender:subject :subject:to:to; s=fm2; t=1686323677; x=1686410077; bh=l44MeBo5fq ANix78ao1zKT8XpzRxOos+G9Ln5T+BgQw=; b=WIRxfLIcsOWxY8Tn3qkWLVihe/ I7K7Y5V+f5y0g6lfEnS0gaBpBYoxDOFXp3eDBHpog8HXqD7VA33CH3z0MbwrbmT1 5C8GrmnajYoDcMmPAZJ+oxZqbVaA/6Bt6SOttPszOI60erPuhTqA8LJadwTsRK8R ujrAQt5FpJMIV3d9MLTFNWtFaDPtMJ+j6xCRTtPBiWY7Bf9XFumvpgYkTY9x2LRQ OzT90ggLNFv/ryN4VCAuSGfFQnbKwQk1r+1m0cRn64U0bZY8kkbE9WesyW+2xzmP z+OdIQxLtHpgokCUPlnR01OoEFCsp7WwvBkLifWUBXiMq6hmTU60OxE5mUfg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1686323677; x=1686410077; bh=l 44MeBo5fqANix78ao1zKT8XpzRxOos+G9Ln5T+BgQw=; b=GUsdDE/+Pk7YvkK4q GikjOPH0h8MQ/YdQII8Z0qpfztZaVzAypMEAEMfhkEilOkdsqzquL4DDMG/WMOWm 6CovtmJcvHT89WJo3qMz9AtY90i3qZ1xILULxJpFpNKVqHQVcc+DSe2feH+BL3uC kytOSRkYy14nwFjPqoN90UqB1jLWD6/BnTXmvoEgoXxBPsxUMAqrNmVkEYXQZOGw yyVEA3S00ZHwq10dtXMe9zIFiORDZb2QySrFE3SY1y3PzEm33gQCOlk/nIZvebyL RsXKUpH8mRwt/fwBb1JEKGSYIOXtn7H46bQ4StmnfueqTzmpAdnsAkIUT2zMs9nn f7dpQ==
X-ME-Sender: <xms:3UGDZHQCYKaE5WeuWl-kuxvmPXbWcFSWe1ytkxXRkcwdjMTULI2omA> <xme:3UGDZIxf-zvgBGPDbexWv7EYGmsJzYpAFcPrPLGFBT_6d4Renye5BgTHr-ZnJFrfy 64q28sbUX4hO633fA>
X-ME-Received: <xmr:3UGDZM3OT9bVuyuodslSNLuala9w96O1jqjlGE7P7w8KDMefbzFX_5U>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedtkedgkeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlqdefmdenucfjughrpehrhffvvehfjgfuffhokfggtgfothesrhdt ghepvddtvdenucfhrhhomhepfdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlh hirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghr nhepveffjeetjeetudetkedtkeeiffduteetteefvddtkeffgeevtefftdeuledvleeune cuffhomhgrihhnpehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm pdhivghtfhdrohhrghdpohhuthhlohhokhdrtghomhdpihguvghnthhithihrdhfohhunh gurghtihhonhdpvgigrghmphhlvgdqihhsshhuvghrrdgtrgdpfiefrdhorhhgpdhsvghn rghtvgdrghhovhdpghhithhhuhgsrdgtohhmpdhtrhgrnhhsmhhuthgvrdhinhguuhhsth hrihgvshenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm peguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:3UGDZHCnpqOpLMUJlPFWU2wQVupPwRbvzyAK7LLEGG7QKJLNvOefig> <xmx:3UGDZAiv5x-Qlq8LR2YMuedpKnCVfDnuYKIhoC4rGUjXQiBglYVgvg> <xmx:3UGDZLpSLYl35Swt6tvA2QHdLgaJjScgDrIctfFAzuvIW5BigJzsnw> <xmx:3UGDZIeUJ8o_KvUJesx_FvQxepcFgEmgPog-Y1TUi3jBz2GkNymODw>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 9 Jun 2023 11:14:37 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Antoine Delignat-Lavaud' <antdl=40microsoft.com@dmarc.ietf.org>, 'Orie Steele' <orie@transmute.industries>, dance@ietf.org
Cc: jacques.latour@cira.ca, uta@ietf.org, 'scitt' <scitt@ietf.org>
References: <CAN8C-_KcJ8G+QX99SA859N=oS8-cXqziy-WwovV7jUS6GM29EQ@mail.gmail.com> <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
In-Reply-To: <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
Date: Fri, 09 Jun 2023 11:14:33 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <505701d99ae5$1a4be4f0$4ee3aed0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_5058_01D99AC3.933CB5F0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGOHO/0k9aNAEwiOsaNeHeDRZ4IPAKs7ShksAQokJA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/WpefvHYoQuU8SJwqgbjubJOqym4>
Subject: Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 15:14:46 -0000

I concur.

 

DNS also contains CAA records to indicate which CA's are authorized to issue
digital certificates for the organization owning a dns name. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always
verify and report! T

 <http://www.reliableenergyanalytics.com/>
http://www.reliableenergyanalytics.com

Email:  <mailto:dick@reliableenergyanalytics.com>
dick@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: SCITT <scitt-bounces@ietf.org> On Behalf Of Antoine Delignat-Lavaud
Sent: Friday, June 9, 2023 11:11 AM
To: Orie Steele <orie@transmute.industries>; dance@ietf.org
Cc: jacques.latour@cira.ca; uta@ietf.org; scitt <scitt@ietf.org>
Subject: Re: [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust:
Credential Exchanges and Trust Registries

 

I'm all for a DNS-based DID method, as unlike did:web it would be possible
to audit a did:dns resolution by keeping the DNSSEC signatures and key
chain. It is probably a good idea to only enable did:dns on DNSSEC zones,
otherwise inconsistencies can be blamed on network attackers, DNS caches,
etc.

 

I don't like using a very short prefix to find DID keys in TXT records.
There are already too many ways to abuse cross-protocol ability to set TXT
records (e.g. DKIM, ACME, SPF, etc)

 

Given that there are several existing DNS record types for keys (DNSKEY,
KEY, IPSECKEY, OPENPGPKEY, TLSA, TKEY), I would also prefer to re-use an
existing standard rather than introduce yet another DNS record type. DNSKEY
and TLSA are both decent option, through the later is designed for ASN.1
encoded keys and is a bit annoying to convert with JWKS/CKS.

 

Best,

Antoine

 

 

From: SCITT <scitt-bounces@ietf.org> On Behalf Of Orie Steele
Sent: Thursday, June 8, 2023 4:22 PM
To: dance@ietf.org
Cc: jacques.latour@cira.ca; uta@ietf.org; scitt <scitt@ietf.org>
Subject: [EXTERNAL] Re: [SCITT] Leveraging DNS in Digital Trust: Credential
Exchanges and Trust Registries

 

Original thread:
https://mailarchive.ietf.org/arch/msg/dance/g0eSMxmZzb1ucsFtgkVkICV5Hh8/
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchi
ve.ietf.org%2Farch%2Fmsg%2Fdance%2Fg0eSMxmZzb1ucsFtgkVkICV5Hh8%2F&data=05%7C
01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f1
41af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8ey
JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7
C%7C&sdata=V44MiJjKSt85QVoePlQJhn4d1Gj60HVB7mBUybxwsbE%3D&reserved=0> 

I read
https://www.ietf.org/archive/id/draft-latour-dns-and-digital-trust-00.html
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.
org%2Farchive%2Fid%2Fdraft-latour-dns-and-digital-trust-00.html&data=05%7C01
%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141
af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8eyJW
IjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%
7C&sdata=XS4CcwWP9SBooeMsYwPL7pKlzZSAc0i0Jw5mhw8ULMk%3D&reserved=0>   

Previously I had read:
- https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack
er.ietf.org%2Fdoc%2Fdraft-mayrhofer-did-dns%2F&data=05%7C01%7Cantdl%40micros
oft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db4
7%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MRXm6gqr
I0fdPLD1%2FXkRG1rsvlcXgbqwY0PgGziwyns%3D&reserved=0> 
- https://identity.foundation/.well-known/resources/did-configuration/
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fidentity.
foundation%2F.well-known%2Fresources%2Fdid-configuration%2F&data=05%7C01%7Ca
ntdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91
ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
data=el6evHnTtjnFasREelT1Ai3b%2F9Hr4YyQext2vcdfzv0%3D&reserved=0>  (I'm
co-author)

I don't understand the role that "example-issuer.ca
<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample-is
suer.ca%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68
342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnk
nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
CI6Mn0%3D%7C3000%7C%7C%7C&sdata=EVkmskvf9Ty%2BmEwOWE4qGDHt68Tna73hcgcyWb6IBm
c%3D&reserved=0> " is playing in these records.

Why is there a need to structure the record "key" to include CA information?

Is https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack
er.ietf.org%2Fdoc%2Fdraft-ietf-uta-rfc6125bis%2F&data=05%7C01%7Cantdl%40micr
osoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011d
b47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA
iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=u5J9mj
jrEL0huA4aeLkzB7GbP5HnS03rkhV8rNklgjo%3D&reserved=0>  relevant to this
conversation?

I wanted to share some related work, from BlueSky:

They support linking https://www.w3.org/TR/did-core/
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or
g%2FTR%2Fdid-core%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499
a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63821834546902
4142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1
haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9xUk2xQG0iGQwOblIG94gcUmSew4oevUJe
ErF0OewgM%3D&reserved=0>  to specific domains, this allows for the natural
control of a domain to be used to establish the natural authority of an
identifier, 

For example:

dig -t txt _atproto.wyden.senate.gov
<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fatproto.wy
den.senate.gov%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63
808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63821834546902414
2%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bHHFaB5%2FAy%2Fuj6D%2BLd2maHxGPiR1PLu
rhuTmlYwlnAY%3D&reserved=0>  | grep 'did=' | grep -o '"did=.*"' | jq -r
'split("=")[1]'

https://github.com/w3c/did-spec-registries/pull/515
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co
m%2Fw3c%2Fdid-spec-registries%2Fpull%2F515&data=05%7C01%7Cantdl%40microsoft.
com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C
1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SSNIjq3qC9ia
W%2B2tpAq1PHScv6mYcxBhuHtB8KLPdgk%3D&reserved=0> 

I would like to see a standard way to link decentralized identifiers to
domains documented somewhere at IETF.

Including UTA & SCITT in case there are folks with relevant comments.

Regards,

OS

-- 

 

ORIE STEELE
Chief Technology Officer
www.transmute.industries <http://www.transmute.industries> 

 
<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftransmute
.industries%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808
db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7
CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
CJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1RRTFtUI15nKsuaQc8%2BIlPKs18PySUMcr0QyZv
iLE9Y%3D&reserved=0>

v2.23.0 | Report a Bug | By Email