Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
Dick Brooks <dick@reliableenergyanalytics.com> Fri, 09 June 2023 15:14 UTC
Return-Path: <dick@reliableenergyanalytics.com>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0F0DC1522AF; Fri, 9 Jun 2023 08:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reliableenergyanalytics.com header.b="WIRxfLIc"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="GUsdDE/+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byal5d7fFdC7; Fri, 9 Jun 2023 08:14:41 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F93FC14CE24; Fri, 9 Jun 2023 08:14:40 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id ACA015C0163; Fri, 9 Jun 2023 11:14:37 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Fri, 09 Jun 2023 11:14:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= reliableenergyanalytics.com; h=cc:cc:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:reply-to:sender:subject :subject:to:to; s=fm2; t=1686323677; x=1686410077; bh=l44MeBo5fq ANix78ao1zKT8XpzRxOos+G9Ln5T+BgQw=; b=WIRxfLIcsOWxY8Tn3qkWLVihe/ I7K7Y5V+f5y0g6lfEnS0gaBpBYoxDOFXp3eDBHpog8HXqD7VA33CH3z0MbwrbmT1 5C8GrmnajYoDcMmPAZJ+oxZqbVaA/6Bt6SOttPszOI60erPuhTqA8LJadwTsRK8R ujrAQt5FpJMIV3d9MLTFNWtFaDPtMJ+j6xCRTtPBiWY7Bf9XFumvpgYkTY9x2LRQ OzT90ggLNFv/ryN4VCAuSGfFQnbKwQk1r+1m0cRn64U0bZY8kkbE9WesyW+2xzmP z+OdIQxLtHpgokCUPlnR01OoEFCsp7WwvBkLifWUBXiMq6hmTU60OxE5mUfg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1686323677; x=1686410077; bh=l 44MeBo5fqANix78ao1zKT8XpzRxOos+G9Ln5T+BgQw=; b=GUsdDE/+Pk7YvkK4q GikjOPH0h8MQ/YdQII8Z0qpfztZaVzAypMEAEMfhkEilOkdsqzquL4DDMG/WMOWm 6CovtmJcvHT89WJo3qMz9AtY90i3qZ1xILULxJpFpNKVqHQVcc+DSe2feH+BL3uC kytOSRkYy14nwFjPqoN90UqB1jLWD6/BnTXmvoEgoXxBPsxUMAqrNmVkEYXQZOGw yyVEA3S00ZHwq10dtXMe9zIFiORDZb2QySrFE3SY1y3PzEm33gQCOlk/nIZvebyL RsXKUpH8mRwt/fwBb1JEKGSYIOXtn7H46bQ4StmnfueqTzmpAdnsAkIUT2zMs9nn f7dpQ==
X-ME-Sender: <xms:3UGDZHQCYKaE5WeuWl-kuxvmPXbWcFSWe1ytkxXRkcwdjMTULI2omA> <xme:3UGDZIxf-zvgBGPDbexWv7EYGmsJzYpAFcPrPLGFBT_6d4Renye5BgTHr-ZnJFrfy 64q28sbUX4hO633fA>
X-ME-Received: <xmr:3UGDZM3OT9bVuyuodslSNLuala9w96O1jqjlGE7P7w8KDMefbzFX_5U>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedtkedgkeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdlqdefmdenucfjughrpehrhffvvehfjgfuffhokfggtgfothesrhdt ghepvddtvdenucfhrhhomhepfdffihgtkhcuuehrohhokhhsfdcuoeguihgtkhesrhgvlh hirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomheqnecuggftrfgrthhtvghr nhepveffjeetjeetudetkedtkeeiffduteetteefvddtkeffgeevtefftdeuledvleeune cuffhomhgrihhnpehrvghlihgrsghlvggvnhgvrhhghigrnhgrlhihthhitghsrdgtohhm pdhivghtfhdrohhrghdpohhuthhlohhokhdrtghomhdpihguvghnthhithihrdhfohhunh gurghtihhonhdpvgigrghmphhlvgdqihhsshhuvghrrdgtrgdpfiefrdhorhhgpdhsvghn rghtvgdrghhovhdpghhithhhuhgsrdgtohhmpdhtrhgrnhhsmhhuthgvrdhinhguuhhsth hrihgvshenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm peguihgtkhesrhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomh
X-ME-Proxy: <xmx:3UGDZHCnpqOpLMUJlPFWU2wQVupPwRbvzyAK7LLEGG7QKJLNvOefig> <xmx:3UGDZAiv5x-Qlq8LR2YMuedpKnCVfDnuYKIhoC4rGUjXQiBglYVgvg> <xmx:3UGDZLpSLYl35Swt6tvA2QHdLgaJjScgDrIctfFAzuvIW5BigJzsnw> <xmx:3UGDZIeUJ8o_KvUJesx_FvQxepcFgEmgPog-Y1TUi3jBz2GkNymODw>
Feedback-ID: i57d944d0:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 9 Jun 2023 11:14:37 -0400 (EDT)
Reply-To: dick@reliableenergyanalytics.com
From: Dick Brooks <dick@reliableenergyanalytics.com>
To: 'Antoine Delignat-Lavaud' <antdl=40microsoft.com@dmarc.ietf.org>, 'Orie Steele' <orie@transmute.industries>, dance@ietf.org
Cc: jacques.latour@cira.ca, uta@ietf.org, 'scitt' <scitt@ietf.org>
References: <CAN8C-_KcJ8G+QX99SA859N=oS8-cXqziy-WwovV7jUS6GM29EQ@mail.gmail.com> <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
In-Reply-To: <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
Date: Fri, 09 Jun 2023 11:14:33 -0400
Organization: Reliable Energy Analytics LLC
Message-ID: <505701d99ae5$1a4be4f0$4ee3aed0$@reliableenergyanalytics.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_5058_01D99AC3.933CB5F0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGOHO/0k9aNAEwiOsaNeHeDRZ4IPAKs7ShksAQokJA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/WpefvHYoQuU8SJwqgbjubJOqym4>
Subject: Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 15:14:46 -0000
I concur. DNS also contains CAA records to indicate which CA's are authorized to issue digital certificates for the organization owning a dns name. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! T <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:dick@reliableenergyanalytics.com> dick@reliableenergyanalytics.com Tel: +1 978-696-1788 From: SCITT <scitt-bounces@ietf.org> On Behalf Of Antoine Delignat-Lavaud Sent: Friday, June 9, 2023 11:11 AM To: Orie Steele <orie@transmute.industries>; dance@ietf.org Cc: jacques.latour@cira.ca; uta@ietf.org; scitt <scitt@ietf.org> Subject: Re: [SCITT] [EXTERNAL] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries I'm all for a DNS-based DID method, as unlike did:web it would be possible to audit a did:dns resolution by keeping the DNSSEC signatures and key chain. It is probably a good idea to only enable did:dns on DNSSEC zones, otherwise inconsistencies can be blamed on network attackers, DNS caches, etc. I don't like using a very short prefix to find DID keys in TXT records. There are already too many ways to abuse cross-protocol ability to set TXT records (e.g. DKIM, ACME, SPF, etc) Given that there are several existing DNS record types for keys (DNSKEY, KEY, IPSECKEY, OPENPGPKEY, TLSA, TKEY), I would also prefer to re-use an existing standard rather than introduce yet another DNS record type. DNSKEY and TLSA are both decent option, through the later is designed for ASN.1 encoded keys and is a bit annoying to convert with JWKS/CKS. Best, Antoine From: SCITT <scitt-bounces@ietf.org> On Behalf Of Orie Steele Sent: Thursday, June 8, 2023 4:22 PM To: dance@ietf.org Cc: jacques.latour@cira.ca; uta@ietf.org; scitt <scitt@ietf.org> Subject: [EXTERNAL] Re: [SCITT] Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries Original thread: https://mailarchive.ietf.org/arch/msg/dance/g0eSMxmZzb1ucsFtgkVkICV5Hh8/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchi ve.ietf.org%2Farch%2Fmsg%2Fdance%2Fg0eSMxmZzb1ucsFtgkVkICV5Hh8%2F&data=05%7C 01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f1 41af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8ey JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7 C%7C&sdata=V44MiJjKSt85QVoePlQJhn4d1Gj60HVB7mBUybxwsbE%3D&reserved=0> I read https://www.ietf.org/archive/id/draft-latour-dns-and-digital-trust-00.html <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf. org%2Farchive%2Fid%2Fdraft-latour-dns-and-digital-trust-00.html&data=05%7C01 %7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141 af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8eyJW IjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C% 7C&sdata=XS4CcwWP9SBooeMsYwPL7pKlzZSAc0i0Jw5mhw8ULMk%3D&reserved=0> Previously I had read: - https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack er.ietf.org%2Fdoc%2Fdraft-mayrhofer-did-dns%2F&data=05%7C01%7Cantdl%40micros oft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db4 7%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MRXm6gqr I0fdPLD1%2FXkRG1rsvlcXgbqwY0PgGziwyns%3D&reserved=0> - https://identity.foundation/.well-known/resources/did-configuration/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fidentity. foundation%2F.well-known%2Fresources%2Fdid-configuration%2F&data=05%7C01%7Ca ntdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91 ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s data=el6evHnTtjnFasREelT1Ai3b%2F9Hr4YyQext2vcdfzv0%3D&reserved=0> (I'm co-author) I don't understand the role that "example-issuer.ca <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample-is suer.ca%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68 342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnk nown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV CI6Mn0%3D%7C3000%7C%7C%7C&sdata=EVkmskvf9Ty%2BmEwOWE4qGDHt68Tna73hcgcyWb6IBm c%3D&reserved=0> " is playing in these records. Why is there a need to structure the record "key" to include CA information? Is https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatrack er.ietf.org%2Fdoc%2Fdraft-ietf-uta-rfc6125bis%2F&data=05%7C01%7Cantdl%40micr osoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011d b47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=u5J9mj jrEL0huA4aeLkzB7GbP5HnS03rkhV8rNklgjo%3D&reserved=0> relevant to this conversation? I wanted to share some related work, from BlueSky: They support linking https://www.w3.org/TR/did-core/ <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.or g%2FTR%2Fdid-core%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499 a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63821834546902 4142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9xUk2xQG0iGQwOblIG94gcUmSew4oevUJe ErF0OewgM%3D&reserved=0> to specific domains, this allows for the natural control of a domain to be used to establish the natural authority of an identifier, For example: dig -t txt _atproto.wyden.senate.gov <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fatproto.wy den.senate.gov%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63 808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63821834546902414 2%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW wiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bHHFaB5%2FAy%2Fuj6D%2BLd2maHxGPiR1PLu rhuTmlYwlnAY%3D&reserved=0> | grep 'did=' | grep -o '"did=.*"' | jq -r 'split("=")[1]' https://github.com/w3c/did-spec-registries/pull/515 <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co m%2Fw3c%2Fdid-spec-registries%2Fpull%2F515&data=05%7C01%7Cantdl%40microsoft. com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C 1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SSNIjq3qC9ia W%2B2tpAq1PHScv6mYcxBhuHtB8KLPdgk%3D&reserved=0> I would like to see a standard way to link decentralized identifiers to domains documented somewhere at IETF. Including UTA & SCITT in case there are folks with relevant comments. Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries <http://www.transmute.industries> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftransmute .industries%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808 db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7 CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL CJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1RRTFtUI15nKsuaQc8%2BIlPKs18PySUMcr0QyZv iLE9Y%3D&reserved=0>
- Re: [Dance] Leveraging DNS in Digital Trust: Cred… Orie Steele
- Re: [Dance] [SCITT] Leveraging DNS in Digital Tru… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Jacques Latour
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Antoine Delignat-Lavaud
- Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Orie Steele
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Orie Steele