Re: [Dance] DANCE Architecture draft
"Olle E. Johansson" <oej@edvina.net> Mon, 14 November 2022 13:09 UTC
Return-Path: <oej@edvina.net>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D34C152572 for <dance@ietfa.amsl.com>; Mon, 14 Nov 2022 05:09:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V20t5_pUPIjU for <dance@ietfa.amsl.com>; Mon, 14 Nov 2022 05:09:36 -0800 (PST)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4153AC152589 for <dance@ietf.org>; Mon, 14 Nov 2022 05:09:33 -0800 (PST)
Received: from smtpclient.apple (h-176-10-205-12.A165.corp.bahnhof.se [176.10.205.12]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id 25AE5217B; Mon, 14 Nov 2022 14:09:32 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <20221114130103.GA1845@openfortress.nl>
Date: Mon, 14 Nov 2022 14:09:31 +0100
Cc: dance@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8038FA1B-0ED9-43DB-B49B-7D7A944AE45B@edvina.net>
References: <92E290E3-ADDF-4969-8317-CB0E51EBA054@edvina.net> <20221114130103.GA1845@openfortress.nl>
To: Rick van Rein <rick@openfortress.nl>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/mX4nIRE3LjXa4t-yGuU2hIvuKXM>
Subject: Re: [Dance] DANCE Architecture draft
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2022 13:09:40 -0000
> On 14 Nov 2022, at 14:01, Rick van Rein <rick@openfortress.nl> wrote: > > Hi, > >> My suggestion was to >> - Create a separate “how to dance” document with advice on how to adopt this to various protocols and what needs to be covered in more use-case specific drafts > > That sounds like a good idea, and it should be open for later additions if at all possible. Thanks > > The examples in draft-ietf-dance-client-auth are very loose, and I would argue > that strong prescriptive examples are ideal from the perspective of interop. That’s not the draft that was in topic for this mail :-) > >> In addition we discussed a more generic “confirming email-style identifiers with Dance” draft and had people in the room willing to start with that. This could potentially apply to authenticating for SMTP/Submission, SIP ua to registrar/proxy and similar use cases. > > Yes, gladly. This is what I've always thought when I hear the term > Client DANE (the devices would have been my second, also very useful, > case). In order for me to get anywhere with the edits, I would like for us to keep discussions on topic. Your response contains a lot of information that’s worthy of discussion, but it’s impossible for me to sort out if you want this in the architecture draft or if you’ve started other work… I will try to comment separately on those where I personally am able to comment :-) /O > > I think the distinction is that this is not a host-wide but a user-specific > form, and its DNS naming could be > > [service]._user.[domainname] IN TLSA x x x xxxx > > Where Root/Intermediate CA certificates are a useful form because they are > permissive for many protocols. > > Wildcards might be used to say things that apply to a plethora of > services, > > *._user.[domainname] IN TLSA x x x xxxx > > These cover-all would be overridden under DNS rules for more special services, > > xmpp._user.[domainname] IN TLSA x x x xxxx > > And they could be forbidden under DNS rules for other services, perhaps for > SMTP becauses the mail protocol for users is called "submission" and "smtp" > is reserved for mta2mta, > > smtp._user.[domainname] IN TXT "Client DANE wildcard blocked" > > > Playing with these special kinds also brings up other values for the "x x x" > entries, which I think would be useful. We might also think about the use of > CNAME and DNAME references, which a DNS server normally handles. > >> I will try to put up a skeleton for a “how to dance” document on the git repo soon and skeleton for the use cases so I can start cutting things out of architecture and put into those skeletons for further work by the group. > > Lovely. I already wrote to a few issues that I might be able to help with. > > I would also like to add LDAP, because it is such a potent database, esp. > when the Client Identity is known. > >> Any help with this is of course very appreciated. > > I intend to keep you happy :) > >> During the WG meeting I suggested to do a massive edit of the architecture draft > > I have a few suggestions, but please let me know if I missed documentation > (or perhaps am repeating past discussion). Will send text or PRs when > requested. > > 1. Be explicit about authentication/authn vs. authorization/authz. While > authn is the responsibility of TLS, authz is an application matter. As an > example, the lookup of client names in a list is a very specific example of > authz, and I would rather see it changed into something like "the application > makes an authorization choice". The term "DANE preauthorization" confuses me. > I don't know how authz would apply when a DNS wildcard is used. > > 2. Comparison of dane_clientid to [a list of] client domains... are you trying > to (a) match the domain part after Client DANE labels [that would be authn] or > (b) match the Client DANE labels [that would be authz] or both [that's mixed]? > Since not all Client DANE labels end with a _device or _service or _user in the > same place it may be possible to do naughty things to any check on them. > > 3. "DNS records should be validated by the DNS stub resolver, using the DNSSEC protocol." > This is a case where "should" can be written "SHOULD" or "MUST". For more detail, > these lyrics from draft-vanrein-dnstxt-krb1 may help: > > <t>Since DNS in general cannot be considered secure, the client MUST validate > DNSSEC and it MUST dismiss any DNS responses that are Insecure, Bogus or > Indeterminate [Section 5 of <xref target="RFC4033"/>]. Only the remaining > Secure responses are to be taken into account. This specification does > not require that the DNS client validates the responses by itself, but a > deployment of _kerberos TXT records SHOULD NOT accept DNS responses from > a trusted validating DNS resolver over untrusted communication channels.</t> > > 4. On privacy of identity: Hashing a userid does not always help. If it's a > predictable form itl1235123 then iteration is very easy. And because it'd be > a static substitution it wouldn't add dynamicity. You might consider a * for > the client name, and otherwise benefit from TLS 1.3 encryption of the clicert. > > 5. On DNS scaling: TLS may be slowed down, I am not sure about DTLS. Recurring > DNS queries on the same DNS server may be a hint to delay traffic. Bloom filters > can make such hold-back fairly easy to implement. Question: Is this sufficiently > in the interest of the TLS server operator? > > > I hope this helps! > -Rick > > -- > Dance mailing list > Dance@ietf.org > https://www.ietf.org/mailman/listinfo/dance
- [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE Architecture draft Rick van Rein
- Re: [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE user naming Olle E. Johansson
- Re: [Dance] DANCE Architecture draft Michael Richardson
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Tim Wicinski
- Re: [Dance] DANCE Architecture draft Olle E. Johansson
- Re: [Dance] DANCE user naming Olle E. Johansson
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Rick van Rein
- Re: [Dance] DANCE user naming Michael Richardson