[Dance] Re: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Mon, 26 January 2026 16:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dance@mail2.ietf.org
Delivered-To: dance@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 60A42AD31D89 for <dance@mail2.ietf.org>; Mon, 26 Jan 2026 08:51:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvbyIzNXa7qo for <dance@mail2.ietf.org>; Mon, 26 Jan 2026 08:51:48 -0800 (PST)
Received: from mail-yx1-xb12e.google.com (mail-yx1-xb12e.google.com [IPv6:2607:f8b0:4864:20::b12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CC98CAD31C97 for <dance@ietf.org>; Mon, 26 Jan 2026 08:51:15 -0800 (PST)
Received: by mail-yx1-xb12e.google.com with SMTP id 956f58d0204a3-6493937c208so4224310d50.2 for <dance@ietf.org>; Mon, 26 Jan 2026 08:51:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769446275; cv=none; d=google.com; s=arc-20240605; b=eveeCWL+7k0177LzIRU9qdi15P337eoORtXH5505kgmQeNBu5An5frPB5JdBzu8DTS AdrKL/I+KUnWI4B83sAlWQ4ibCWsOv7kexBeAo4vvSNjhtFJ6SQ894oRkBB5AW77XhQG qvLFUz/cvOY7A9xqtC13vm6aGN6SLy3AnPHkeNvG385R78IkbrLGT0XGzTxWgOYNnJQw AzgWRha5LInAf61WKE5MIQPT4t+pLjUi96FJTBAAQrM7CbBItIF+ScNJwlUSbb5LLZGk 6VA+VkHODN+pHjLwPa0KbpzgMPZudQ3nfn0S/f2Az9o+DNse1eoJTsaX9Ldlb+/FWe41 cX2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=EEphVsZTYwJr1IAj7SOE6VzGF5onrY+6G24zlvYA5N8=; fh=FfO+lgMoV6Mup5z/oSk8XUAcG3NixRC/yL7/jdH0+ao=; b=ZCGClD2vOHsK+pKCgwiq/ztPUMb1rcO5OjIyVgwL7u8hWbJL77ZfV30NKTJB5yzap6 1kmp7KF7Yyqae1v5moimEqWcUJJiTSq9YFOkHSrBjAU7F/eDYFdZPGtwje2Lo+M/XLPh Wq6fLZX1lv9pFGf5rkirsWnl19M2f6ijE3GonyZvNql44ceRJkdDeylDX7OMrtbf3Y1D ASaMQ/f16ByBNif41OMkuS2cwxcNznZb/vGVMHadmM7Nm187qdVuiAlM0fnL7nIHk584 5TZ0RtyBO5RVsHg2DcCYPjWvgSnLRJTeh8lnUr0CDscOfjtkPdD+9tzwzG1gAK0A2JBg C4ag==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1769446275; x=1770051075; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EEphVsZTYwJr1IAj7SOE6VzGF5onrY+6G24zlvYA5N8=; b=w/chMRhGuTyOSrjGckPLHtr8pq3tPKUSFXh4DAVmex4LesQA4ZoKV9xC8k3d6iwiim tSO2/k1IuCvZMi+ZJqjKeO6pLM9+Y/Xg8/ahdNevA5uCv9fYtlAZ4Z5JA0+bpv1+RXl3 Uj3odOcejdRO/kgmQsavHJy3ClzGyTYZAhlqJn/D266HkU87QUQ3Nbw2BaZozRQ9xJKi jJOYawWLh72rxSqT50I76E1zNMT+Xcdo/ZC4NSICBhyQK6NTN7OEQzdPQpj8Mth98cX5 f25HdShLZULvxnxuv31LMikgwHOSSKk2T89+dj1yTwEHGDk1U75y1qoaMlqyCR/VFPo8 G6nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769446275; x=1770051075; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=EEphVsZTYwJr1IAj7SOE6VzGF5onrY+6G24zlvYA5N8=; b=i4963vcs7D4RuUw/E+1NwST8x8MUVVAepNjTAVMHQKlNlX3/21HuTAJzHxKlxhQf38 f3vG5kPKvBkzPqM9qN/U52r5AT9m3xIuTKC0MDr2F5cOBMCrcvHbr5WJIJV5p7A69uqv 1+Zog14o4iCTgP0xHfpA4VDpJcJXf7uWGA4o8ve2E/0qZwkzOUahClNHvlNEVX6R74GE 8ZZpLE256qLxiYurgIPunqMW4sxOIUosSRNdBELlyUXj1k/FxP0T1rOjfJo9/S9YkBZs Thp3mEBBW3ppPjuq/3FwQ/YZku9BM86Vk3sIyYeih4w5+LkVlphSJ0ezWejlOULzshxe GPgQ==
X-Forwarded-Encrypted: i=1; AJvYcCXfddyaK6Uu07XAJ7CWFyg3qgbGUByF7JZosnY9ZHJ2SgbfRb4vuqB3EwMzfabsI/MxgX/8iw==@ietf.org
X-Gm-Message-State: AOJu0YyHe0CUe+8fRNUnoVZUz7lAEMUW3R3io8lyHaYndY7Ex7INCBes 9OujuCeMMcuaMbM2FKm3Ivi/VRbS299QRroDhh8+8sZawoJjvmzUzoG51EReo3k3XX7pYnBjk3m OxxYkBuWplTB2o2hxwev55v4TraqRjmSjwR2Kn5ofEQ==
X-Gm-Gg: AZuq6aJJBh2G6ThnpHLqY+dCXwLkOll/+DAl9E1JlflDVQhYdX8CrGonjjq1ymF0uwx fiqL5nVpBpVsZ8NhPNL1Ka8vPfydD5PzqKp/0gCbTsOzY9FmHflD26yDYdE5Mlu1BFIOigwEFQf IiYZ4y/T1jHbFlOZ/iNiZ1nM96ufevazsE6iBcSljyPhb15o/uXcTf2ccy3IHr62spSE/wo64ty vft82rEyo5qDyJuyGqcugz2pd4pMJebjzSXCGDQmrxOikoJXliWBUIfOHJFkQtWg8DcSRnAYpMF DH7pOXwMOGSEqMpdUMlWavoJJGsE01aSdV03F97Zpqfqxe/ax83RihcvlQ0m5iVPJmjR/xRdOMv U9O1Vuy4lNw==
X-Received: by 2002:a05:690e:4011:b0:649:6830:2f5c with SMTP id 956f58d0204a3-64970b5035emr4262050d50.14.1769446275262; Mon, 26 Jan 2026 08:51:15 -0800 (PST)
MIME-Version: 1.0
References: <176529902699.1146491.1360588667931244217@dt-datatracker-5bd94c585b-wk4l4> <CABcZeBOCNZf-mYJ2DM1YTnUAYpvtyc5Ba2qQ6aOmsYhS1y5fvA@mail.gmail.com> <CAHPuVdV4TvP4kHsEC=7K5QNFZUktYCRU44LqJr33fzB5Md+Q1Q@mail.gmail.com> <MN2PR17MB4031E3807DE7137A169C2E24CD93A@MN2PR17MB4031.namprd17.prod.outlook.com> <CAHPuVdWssWuFsZNjKHOXc=sRyEDwAzpbtaUkZuTMvZW0=BXGJA@mail.gmail.com>
In-Reply-To: <CAHPuVdWssWuFsZNjKHOXc=sRyEDwAzpbtaUkZuTMvZW0=BXGJA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Jan 2026 08:50:38 -0800
X-Gm-Features: AZwV_Qj-4iO2kv8HAjwVGUQpkhUgiPcgsu9UlyWvOz4ii4d-CaNEpnVyStP61_g
Message-ID: <CABcZeBMcShiaC-Rrd8zdH=xa4OU2dtKtAVVfZF496t=2qJS-fw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000afbb1f06494d5007"
Message-ID-Hash: RYNOXH2EIFTMISWUAX6EUQLQEPCN7CCG
X-Message-ID-Hash: RYNOXH2EIFTMISWUAX6EUQLQEPCN7CCG
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz@akamai.com>, "last-call@ietf.org" <last-call@ietf.org>, "dance-chairs@ietf.org" <dance-chairs@ietf.org>, "dance@ietf.org" <dance@ietf.org>, "draft-ietf-dance-client-auth@ietf.org" <draft-ietf-dance-client-auth@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, TLS WG <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Dance] Re: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/nH8nQKTLRcL97cFZpee0v4F3tP4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Owner: <mailto:dance-owner@ietf.org>
List-Post: <mailto:dance@ietf.org>
List-Subscribe: <mailto:dance-join@ietf.org>
List-Unsubscribe: <mailto:dance-leave@ietf.org>

On Mon, Jan 26, 2026 at 8:39 AM Shumon Huque <shuque@gmail.com> wrote:

> On Mon, Jan 26, 2026 at 10:56 AM Salz, Rich <rsalz@akamai.com> wrote:
>
>>
>>
>>    - > This has the effect of revealing the client's identity on the
>>    wire.
>>
>>
>>
>>    - It does, I guess unless encrypted DNS transport is being used.
>>    - A number of other protocol mechanisms already have similar problems,
>>    - don't they, like TLS client's lookup of SVCB records for ECH, etc,
>>    if
>>    - not done with encrypted DNS transport.
>>
>>
>> A client looking up SVCB records does not expose the client’s identity.
>> EKR pointed out that this doc explicitly has the server look up the client
>> identity.
>>
>
> Yes, I was speaking about the general topic of not revealing domain name
> identities on the wire (for client or server). TLS 1.3 wants to do both.
>

As I said in my previous response, TLS 1.3 already. protects the client's
certificate,
so you're introducing a privacy regression. The situation is entirely
different with
the server's identity.


>
> > At one point we had considered whether the client should look up
> > its own DANE information and send it in an extension (the opposite
> > form of RFC 9102: TLS DNSSEC chain extension), but decided that this
>
>> >might be too much complexity to impose on the client, particularly since
>> >some of them might be resource constrained. That topic could be
>> revisited.
>>
>> I think you should. A key point of TLS 1.3 is not to expose the client
>> identity.
>>
>
> Ok, I'm pondering this topic. Requiring the client to implement a complex
> DNSSEC chain extension like mechanism will likely be a significant barrier
> to implementation I feel.
>

The discussion of barriers to implementation might be more productively had
in reference to some specific deployment scenario. Who is presently planning
to deploy this and in what settings. Would this be an obstacle to them
deploying?

 Especially in cases where hiding the client identity for the application
may not be that important (like a warehouse full of machine identities).

We generally don't design security mechanisms for this kind of limited scope
deployment, at least without a very prominent limited applicability
statement.
I would observe that the DANCE architecture document makes quite
expansive applicability claims which would clearly be in tension with this
kind of limitation.

Careful use of encrypted DNS resolvers can also mitigate this and could be
> a recommendation.
>

"Careful" is doing a lot of work here, given that we don't really have any
kind
of generally applicable mechanism for securely determining an encrypted
resolver, let alone protecting recursive to authoritative.

-Ekr




> > As a bare minimum, if no changes are made, the security considerations
> should make this exposure explicit.
>
> Ack.
>
> >could also probably shore up the language to mandate the use
>
>> >of the extension (non-empty), instead of allowing it to be omitted
>> >if the certificate only has one dns SAN identifier.
>>
>> That seems like a good idea.
>>
>> >> Below you say that the client MUST supply the client identity
>> >> extension if there are >1 SANs but what is the server to do
>> >> if the client does not?
>>
>> >The server should abort the connection with an error (and maybe
>> >a tailored TLS alert needs to be defined).
>>
>> You probably do not want a custom alert as that gives out too much
>> information.
>>
>
> Good point.
>
> Shumon.
>
>