Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
Orie Steele <orie@transmute.industries> Fri, 09 June 2023 16:01 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3036C14CEE3 for <dance@ietfa.amsl.com>; Fri, 9 Jun 2023 09:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.075
X-Spam-Level:
X-Spam-Status: No, score=-1.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DOTGOV_IMAGE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vaHxHYEtJ-mg for <dance@ietfa.amsl.com>; Fri, 9 Jun 2023 09:01:39 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D977C14CF18 for <dance@ietf.org>; Fri, 9 Jun 2023 09:01:39 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5149bdb59daso2924257a12.2 for <dance@ietf.org>; Fri, 09 Jun 2023 09:01:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1686326497; x=1688918497; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=svF96sZUKcqf1V3dI7RfBtZjcakpfMCk0sfuGtSAo1k=; b=UmwncVwqcF5//X+JA50blRq8QWOnn/ocqWZbpJFCRGxNY+8t6nFU8+G3YihncZOzei +8RJ+4bchpPVooPHFKQb8L5rTgh3CZN+4r+AfZ1dkvzNWpfTCnra2TnCV3GA7R+c7HbB 5Q8TKH2uiKnxcMopj9bgyrSR1LEQMjgoiiMlaolj55fjQ3A0HMingJqS5YI4br+mZn1L YGUXWfHRYOzWxDmqz5KOjN8NztfIImCo509WCjiPNd/Mjp/h+7O2L+X1D37tALPYZmVi vvct3ya38tEuli1ulj2xLlqc2b1u58lPBs/+uAT4mFt5u+0Pw+gLEKrN5yncpnlTNBtq VsgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686326497; x=1688918497; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=svF96sZUKcqf1V3dI7RfBtZjcakpfMCk0sfuGtSAo1k=; b=JFedDPZ5wqVpQ8ruD2D6kUeo11uL6kXcl28O59Bmz45LHNQIxfXvnU9AvcrulFxn7x lfkiJQ1vmMu3gchhMtXi1w6SnfdzYwK1Dv4lqX8c8V2T/VASWfFIZEIotHOdB/UZOqU7 F+ntAGf4v6EvC+QM/Wr3k9ufPsv4NSaSTqGONd43LrNWXVDtP+SPoloev+UPzMb5a3ZY bEHs7nJ47CHIvCtF/PgQhhiCf6i8ecIpWVTvjLaZDHn0h2sB8TbQA/exKwK5St5PKYeC L2RObu9JZGD7EWeBJjnctFl3c9knSTcSw8o3Rv4Z+9CT6MGx+BQ5VBP7cUbBtndtbtV8 YKkw==
X-Gm-Message-State: AC+VfDyptwwlUIyEGmS40e01lebqbyKag28r4vbe1Zm45mtRguoi1mFz u1bJwhjTrU+zyowh3a1vIWtAMwQ/4Ytf6O5XonqryA==
X-Google-Smtp-Source: ACHHUZ4haTp7LOZ/4RqRq1bkBEHSXMEv9UBSJp9YRYnSwghvP4t2JzPECggcYwvVeSmYxxGouXvVapDhRhwGfgViQI4=
X-Received: by 2002:a17:907:707:b0:94f:956:b3f7 with SMTP id xb7-20020a170907070700b0094f0956b3f7mr2008109ejb.2.1686326496627; Fri, 09 Jun 2023 09:01:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_KcJ8G+QX99SA859N=oS8-cXqziy-WwovV7jUS6GM29EQ@mail.gmail.com> <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
In-Reply-To: <PA4PR83MB0527E89A708983B5BC27918AB251A@PA4PR83MB0527.EURPRD83.prod.outlook.com>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 09 Jun 2023 11:01:25 -0500
Message-ID: <CAN8C-_+ry+gQS9+g+fvT9tfLGJ5ptxPu8aAeSB1uKCcCLCQW+w@mail.gmail.com>
To: Antoine Delignat-Lavaud <antdl@microsoft.com>
Cc: "dance@ietf.org" <dance@ietf.org>, "jacques.latour@cira.ca" <jacques.latour@cira.ca>, "uta@ietf.org" <uta@ietf.org>, scitt <scitt@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Carsten Bormann <cabo@tzi.org>, protocol@blueskyweb.xyz
Content-Type: multipart/alternative; boundary="000000000000cea6b905fdb47bf9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/XALzTQEO-3JnJDbhzyAVlPkXdvU>
Subject: Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 16:01:43 -0000
Inline: On Fri, Jun 9, 2023 at 10:10 AM Antoine Delignat-Lavaud <antdl@microsoft.com> wrote: > I’m all for a DNS-based DID method, as unlike did:web it would be possible > to audit a did:dns resolution by keeping the DNSSEC signatures and key > chain. It is probably a good idea to only enable did:dns on DNSSEC zones, > otherwise inconsistencies can be blamed on network attackers, DNS caches, > etc. > > > > I don’t like using a very short prefix to find DID keys in TXT records. > There are already too many ways to abuse cross-protocol ability to set TXT > records (e.g. DKIM, ACME, SPF, etc) > > > > Given that there are several existing DNS record types for keys (DNSKEY, > KEY, IPSECKEY, OPENPGPKEY, TLSA, TKEY), I would also prefer to re-use an > existing standard rather than introduce yet another DNS record type. DNSKEY > and TLSA are both decent option, through the later is designed for ASN.1 > encoded keys and is a bit annoying to convert with JWKS/CKS. > Yes, when I learned of what at protocol was doing, my first thought was they could have just put their https://www.w3.org/TR/did-core/#verification-relationships Directly into the records, so resolution would be a pure function of "dig"... For example: did:dig-example-method:vendor.example -> controller / subject ... https://www.w3.org/TR/did-core/#did-controller / https://www.w3.org/TR/did-core/#did-subject did:dig-example-method:vendor.example#authentication-key (signing) ... https://www.w3.org/TR/did-core/#authentication did:dig-example-method:vendor.example#assertion-key (signing) ... https://www.w3.org/TR/did-core/#assertion did:dig-example-method:vendor.example#key-agreement (encryption) ... https://www.w3.org/TR/did-core/#key-agreement Of course, this would be a "new" did method, but perhaps one more useful than "did:plc". There would also be limits on the size of keys stored in this manner (and privacy issues for key metadata), which is why it would be nice if COSE Key supports x5c / x5u... it does not: https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters Still, you could include JWKS that do, here is an example: https://contoso.auth0.com/.well-known/jwks.json Obviously putting the JWK directly into the record might cause us to wish for smaller key representations... there are always "multi formats"... - https://w3c.github.io/vc-data-integrity/#verification-material - https://www.w3.org/TR/did-core/#verification-material Personally, I would prefer COSE Key supported what JWK supports... and not to take multi formats as a dependency. OS > > > Best, > > Antoine > > > > > > *From:* SCITT <scitt-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Thursday, June 8, 2023 4:22 PM > *To:* dance@ietf.org > *Cc:* jacques.latour@cira.ca; uta@ietf.org; scitt <scitt@ietf.org> > *Subject:* [EXTERNAL] Re: [SCITT] Leveraging DNS in Digital Trust: > Credential Exchanges and Trust Registries > > > > Original thread: > https://mailarchive.ietf.org/arch/msg/dance/g0eSMxmZzb1ucsFtgkVkICV5Hh8/ > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Fdance%2Fg0eSMxmZzb1ucsFtgkVkICV5Hh8%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V44MiJjKSt85QVoePlQJhn4d1Gj60HVB7mBUybxwsbE%3D&reserved=0> > I read > https://www.ietf.org/archive/id/draft-latour-dns-and-digital-trust-00.html > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-latour-dns-and-digital-trust-00.html&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345468867932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XS4CcwWP9SBooeMsYwPL7pKlzZSAc0i0Jw5mhw8ULMk%3D&reserved=0> > > > Previously I had read: > - https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/ > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-mayrhofer-did-dns%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=MRXm6gqrI0fdPLD1%2FXkRG1rsvlcXgbqwY0PgGziwyns%3D&reserved=0> > - https://identity.foundation/.well-known/resources/did-configuration/ > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fidentity.foundation%2F.well-known%2Fresources%2Fdid-configuration%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=el6evHnTtjnFasREelT1Ai3b%2F9Hr4YyQext2vcdfzv0%3D&reserved=0> (I'm > co-author) > > I don't understand the role that "example-issuer.ca > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample-issuer.ca%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EVkmskvf9Ty%2BmEwOWE4qGDHt68Tna73hcgcyWb6IBmc%3D&reserved=0>" > is playing in these records. > > Why is there a need to structure the record "key" to include CA > information? > > Is https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-uta-rfc6125bis%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=u5J9mjjrEL0huA4aeLkzB7GbP5HnS03rkhV8rNklgjo%3D&reserved=0> relevant > to this conversation? > > I wanted to share some related work, from BlueSky: > > They support linking https://www.w3.org/TR/did-core/ > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.w3.org%2FTR%2Fdid-core%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9xUk2xQG0iGQwOblIG94gcUmSew4oevUJeErF0OewgM%3D&reserved=0> > to specific domains, this allows for the natural control of a domain to be > used to establish the natural authority of an identifier, > > For example: > > dig -t txt _atproto.wyden.senate.gov > <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fatproto.wyden.senate.gov%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bHHFaB5%2FAy%2Fuj6D%2BLd2maHxGPiR1PLurhuTmlYwlnAY%3D&reserved=0> > | grep 'did=' | grep -o '"did=.*"' | jq -r 'split("=")[1]' > > https://github.com/w3c/did-spec-registries/pull/515 > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fdid-spec-registries%2Fpull%2F515&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SSNIjq3qC9iaW%2B2tpAq1PHScv6mYcxBhuHtB8KLPdgk%3D&reserved=0> > > I would like to see a standard way to link decentralized identifiers to > domains documented somewhere at IETF. > > Including UTA & SCITT in case there are folks with relevant comments. > > Regards, > > OS > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > > <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftransmute.industries%2F&data=05%7C01%7Cantdl%40microsoft.com%7Cd090b78c3a4a4499a63808db68342650%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638218345469024142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1RRTFtUI15nKsuaQc8%2BIlPKs18PySUMcr0QyZviLE9Y%3D&reserved=0> > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- Re: [Dance] Leveraging DNS in Digital Trust: Cred… Orie Steele
- Re: [Dance] [SCITT] Leveraging DNS in Digital Tru… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Jacques Latour
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Antoine Delignat-Lavaud
- Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Orie Steele
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Orie Steele