Re: [Dance] [EXT] Re: New Version Notification for draft-latour-dns-and-digital-trust-00.txt
Jacques Latour <Jacques.Latour@cira.ca> Fri, 05 May 2023 20:35 UTC
Return-Path: <Jacques.Latour@cira.ca>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43EE7C1881C8 for <dance@ietfa.amsl.com>; Fri, 5 May 2023 13:35:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cira.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5sIj9tlYLnL for <dance@ietfa.amsl.com>; Fri, 5 May 2023 13:35:27 -0700 (PDT)
Received: from CAN01-YQB-obe.outbound.protection.outlook.com (mail-yqbcan01on20726.outbound.protection.outlook.com [IPv6:2a01:111:f403:7052::726]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3D8C151B35 for <dance@ietf.org>; Fri, 5 May 2023 13:35:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mKmunsu8161IXgmQokg3Fghoskbc0pgk/HoW954Mzcf5yymKjMPvtjTuOoXsEeNw0I5DC1Z96swxYCz1oWvSw7tJb5n+q4OOh3qicGQ7fNcnTrvV8l8GOABQLUa/peuaqaAh9m/iQEt1sUs6o5APJAOTvgZ2RV7qKmjmtCLtuHYeU2XHALLJU+KTFT7rfKp5sWAjI884pL36D59i/J1xodiInyvDLmfdXofyNu5BgiykrMHxd4IUpyNFCKoC4yf+mmtQPLnQXlCvyiIYET2s0kiHXsOwjdbvxO0NeRFQmDQzHRdUIUqZ7LEgXhXIyeeVku7OqZ/LgX66a3qlxSwBTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XOLkL+xcVfc2+Z41KFtBVa5OMbZvBNNokesSKAp15K8=; b=Je4FAPPj0nQz5qwDY1UF8KpeGAlaVTw2IJfQHZRWH0RIYwyfbcPLlt8keQ8XyGIx9EodhjtUFnll0Uu3PNHQbD4gCzLTgmh9nzhabHUTj28r4ywiEY09hBvQXhQt6a8afxSk6vUdkbRGXN1FoGnAAKMk3HrodVMFuRjQz9id48EvuVFRx69UV8bOvYwZGA13pgusd+1sCmTOkXevGElg7XsmVLpOi0PBlprotk2XbVihSOjT8Rp3M6tqhAf84uufXOS6S8pdWL8BWV9gA09082Igh0ZwnW5lDsw0CD0z14hLnrZwogHy1kDneZEKQLj/6ZxsFOvFIteUVaEU/M1J/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cira.ca; dmarc=pass action=none header.from=cira.ca; dkim=pass header.d=cira.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cira.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XOLkL+xcVfc2+Z41KFtBVa5OMbZvBNNokesSKAp15K8=; b=ahySDvW0H+DcnVK8GUSngxwicKUhugrLfm8GjYCelDNj9yuIV6SqBo0SJXcULGgyEbdv8ajEk9/o4o/in4mItjX47E5vjfRDrwuoK2wcRrOwH2EQJOI/04mOH8nmLVpCxUWHvWdb4MRoVu5yNJVGowpfRDkvN/1Rn4Ok0sy2kGdaLA7G0680zA5HV8CzPj0LmCLCS18eDlHk9X+vmflQWgQU+yE/Z+ndro1nR0PAOHs3qyAXkb1qHLmyg9nsBwHYu4bn61+0pWbPET/osPnF4yjZPGBWjWg6Z/ewTRyhMA2uaMeflKE2+t4lRr53xXuGJu75dB/2BLbxHalqX+0Glg==
Received: from YT2P288MB0252.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:f1::16) by YQBP288MB0116.CANP288.PROD.OUTLOOK.COM (2603:10b6:c01:72::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6363.27; Fri, 5 May 2023 20:35:22 +0000
Received: from YT2P288MB0252.CANP288.PROD.OUTLOOK.COM ([fe80::fd46:42c:5534:b322]) by YT2P288MB0252.CANP288.PROD.OUTLOOK.COM ([fe80::fd46:42c:5534:b322%9]) with mapi id 15.20.6363.027; Fri, 5 May 2023 20:35:22 +0000
From: Jacques Latour <Jacques.Latour@cira.ca>
To: Michael Richardson <mcr@sandelman.ca>, "dance@ietf.org" <dance@ietf.org>
Thread-Topic: [EXT] Re: [Dance] New Version Notification for draft-latour-dns-and-digital-trust-00.txt
Thread-Index: AdlxPflDTEo0ZBXORzavv2Y/Ae+H3gL3a2EAAJzQ6bA=
Date: Fri, 05 May 2023 20:35:22 +0000
Message-ID: <YT2P288MB0252E48482A0BDC49035A5868A729@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM>
References: <YT2P288MB0252CCBB232806E051E355508A9C9@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <21240.1683048570@localhost>
In-Reply-To: <21240.1683048570@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Enabled=true; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SetDate=2023-05-05T20:35:20Z; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Method=Standard; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Name=Confidential; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SiteId=f349b30c-7550-4f17-88da-269417631f54; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ActionId=fb5b5d53-329c-4c76-8490-1fa8e58d4de9; MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ContentBits=2
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cira.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YT2P288MB0252:EE_|YQBP288MB0116:EE_
x-ms-office365-filtering-correlation-id: c0ed7a38-d349-4e3d-93cc-08db4da83fed
x-ld-processed: f349b30c-7550-4f17-88da-269417631f54,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EEj11o/QYJeTuP8qH0ygI4g+oirvPJv55VN1gzSiaq+ynLXABxU3mHNWy2/s8W/ceU6KLRSin+8AdXD/e036bafgGH9Wks15e4uI0kCiJAk/11f9ssGwGA6qS4pQRcmHgrT0bVJBtJQm3pIIega0UNZKpgac5/qwx3+NtHENxaZcaC2Sr4DogMfscf3q/qOV0D+pTM5n0gQaLqizGI29cf69FejksOeP0jNEBn7/VTof5bANMNmxFILhgzPj5CoQyvVzWrVRUY0EJqAZjvxk/C7INkTY/L38KXu3kHRwDtARsmmtwbw1eQ1PoqRYYDDXajoIiHZnFxepocUVWjJw8mQNz5J9H7r/YlG30R9wPsgImCICEyqOxZUUJhJro20b+Yj5HOWNf1eeD8momnKGMNEQMSzQZ9cIV4votwo2qVsgM3WW7TtkkdYvtQKWWTZUt2b30GdMoECtTBgc/F4MDZuTGJXIX1G/Lpc6crQ5YNSEppmoAEm5Gg2uhuzynPn3ItilqLhxrdSnCqKeuZtZkgvx1pQJBnnAAa0tsLGrtZxZH96tYs3UOZfNgSHLd+kC
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YT2P288MB0252.CANP288.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(39850400004)(396003)(346002)(376002)(136003)(366004)(451199021)(71200400001)(66946007)(7696005)(66556008)(66446008)(66476007)(64756008)(76116006)(478600001)(316002)(110136005)(33656002)(86362001)(558084003)(9686003)(6506007)(8676002)(8936002)(5660300002)(52536014)(2906002)(41300700001)(55016003)(99936003)(4270600006)(38070700005)(186003)(38100700002)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: i5Z2GB22dWD1EPcc9gVE/Qkmpwly5kJF6v9CANVbXbXtpm937YUmjOOAdYyi6PV0em8zaquqeLaIejgqqPQ9/ceJhKWaX/AWDgcTpx0Ud6B0QSXFpEtRlsHtPn5VwfMrPN3bzvGImpUSbbRPUwuD6m5KwJXLgaxdc/PNBcYJnJof1UxlEKtIrpK2KXyXh2Gn5sYEMNAxE6jQ8hsz3CZcXipE/Msn4UJe8u89N8zjBEyFDvmmhdGGIvJD/32vqf0AJxv1UkBtkOI7wiD4URACtobufXsuvsz6BC8qmT5SeDPUVO8iOsLO5nhKxP1zGY3wkPkBclwT4BctgpSZofUZG+LiWzmr0Q8X2Tu0+Q8olwgD06TIKMh8PnPc4cMTRATXRlfyVfMtrXnV8LHZDwL3jBaxmX+vrGtmLmzGdBE6bzf24uzBEG9FdT3n0UlSvGVa5yhVtcWWoN+Gth8KxPvUxbegYmmlgQKnSfRdJyezKlxSi+uYO24KSf9QCoG7Zxns3R2wyGWTUnHphpMTMtamePXxAz9ni7R17ZZaY0ZGAps8kgkcBt1Ui3xPF6fpB5Nr4L82o1t9kxhkZE0cAkplntIM2++l1/wCr4ROwgbSiM2aXCHTmpiEoa4y0IszmTI2/+VCsImq7ya8hgtqU9U8YQ48JW7ifusBZI4acmad8fzpOMlVZJMBqFTuppLE1k0KqNidhccQ64tD9m7xh1p5WOl9MMxgvEchbGb7K2i3lOYmZF5JhRKFpq4KZgdPz9RLphg+gdOnd/tfPjgYGb7CvAkPbT6wGFMIBHDYJKquUhuJDYw9hASATZSbJLu1wzHsXUMrJyQzoI6zOloR/gKmczIIPRwfsaoo6a932wJ/HiTBuHyqKXbm1TDpsBRXlltDVx6qDkF8jt54F92wNkqNLYmBsRFKMg2vXcYROixSyC/YMieFdnnojQa/nkzV+0DwOwMw9UA3xdQb4miUVbfml9WFVzlQBgniODd3rmezI+CFrJD8XyV/NBDKouDYNbHBEGbh69V9qXEAJ+8m6KrkuPPky0rha7mGNDvF0Pg28bhiuFeNawsSYrCJGhmrn7vSoslSmpzpPKMT+3rF5mfzC+APOe5+S0BOIl5KlbvFAwiTd50bS7Wvri7daXJKJvJ28xWcWy9oG7pXiQA6zEqpba5enuB8B++gfCM5HASnL9GX+OEi+KxpIbZlUOUJY8+V5pwBTWHox6NR3+HF9BkktZxFtA3EewP1Dx/g2q7CvxSLXTdsf6dbE03Dz4Ugy3l7/dbNv+ey+MkeA9INSJpnN5B8lTq7jImFMqHMwTIBHG/x6l1wzEP3lRDzMiTFYOR11Szw7fL14uiLlMZmYlqVqOF3rRTN+nCj87bhEADnz/8lGyP272PeR1Sqlt9qQTZeVY5TwoaaokLCXVtUcwHVKKywIGvwsAam2/woImVug3CjzXeeuakPRDpRollrVktr35QxYpoIbPUu3PrWwHVCGrcvD0guO+H0CkeCv0RuJ84Q2546o6cXIr+IZ4dbzoyfVbXrUcF7KBHZWgJ7lQOJXcee7q9UdTnrv4jsE1IBKE+Kw+9qwwOfJYC4HIVtIMPMzc3CAIxTMluIw82GeLjaTdARPeQzC+uKFwVo2OcLKew2dXwjndM8T7VjQlpIYcG9
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="=-=80UGrBhG6rhR1b=-="
MIME-Version: 1.0
X-OriginatorOrg: cira.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT2P288MB0252.CANP288.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c0ed7a38-d349-4e3d-93cc-08db4da83fed
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2023 20:35:22.5140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f349b30c-7550-4f17-88da-269417631f54
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: j4NjRjJSbh9Fc9S2sXM3vtV2pYdKvljwd8cxcaKOu6Z9uYst9nOf5L3tA+pvF4+zEea6lwnVQubL2axpgHJZvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBP288MB0116
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/u0TUq0jsizxFYFvL5BVawx_A4rg>
Subject: Re: [Dance] [EXT] Re: New Version Notification for draft-latour-dns-and-digital-trust-00.txt
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 20:35:32 -0000
Hi Michael, Thanks for the feedback and I understand your concerns and lack of clarity on the ecosystem and it's applicable use. I'm trying to think of a better way to frame this and pretty sure Dance is the right home for this. In any case, a DID is for all intent a document in a ledger with a public key for the issuer of the digital credentials, the digital credential that someone has on a phone would be signed by that issuer and verifiable via the DID (public key and other attributes), and we use the TLSA records and labels in the DNS to add an additional layer of trust and functionality to search for a trust registry. Some DNS code and examples here: https://github.com/CIRALabs/TrustyDID This video explains how digital credentials and issuers work: https://www.loom.com/share/57db10ddc9f448bf8ff2fb7b10138283 So, two DANCE questions: 1) can we use the TLSA record to express the public key of an issuer, and 2) can an issuer make a TLSA record available if the zone is not signed... Jack -----Original Message----- From: Michael Richardson <mcr@sandelman.ca> Sent: May 2, 2023 1:30 PM To: Jacques Latour <Jacques.Latour@cira.ca>; dance@ietf.org Subject: [EXT] Re: [Dance] New Version Notification for draft-latour-dns-and-digital-trust-00.txt I browsed your document, but I had difficulty understanding it's applicability. In my experience with Verified Credentials, they are just not useable to individuals without the use of a smartphone. Said smartphone has no static IP address, so must use a mediator in order to go through credential presentations, etc. Even if the smartphone did have a stable IPv6, it probably doesn't have the battery power to be willing to be reachable at all times. To date, I haven't found a reasonable business model for operation of the mediator service(s) which are critical to this entire model. I mention this because I don't understand how/why your example in section 4.2 would be interacted with. At first, I thought that I was going to interact with it when I obtain a credential, but then I realized that was wrong. If my university provides a credential attesting to my degree to me, I'm not going to reach out to the university for this did; I think I already have it. It would be the verifiers that might need this information. But, when I do a credential presentation with some verifier, I would have already provided them with the right links, or they would already have them. I'm unclear how the privacy violating DNS lookup would help them with an authorization decision. Perhaps there is a better flow or example that could be used to explain this? My observation from work in this area is that the "distributed ledgers" are more of a liability than a feature, and that it would be a good thing if "sovereign" entities could use the things they are already sovereign over, namely their ccTLDs as anchors. {I still think we did DNSSEC root wrong} -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Dance] New Version Notification for draft-latour… Jacques Latour
- Re: [Dance] New Version Notification for draft-la… Michael Richardson
- Re: [Dance] [EXT] Re: New Version Notification fo… Jacques Latour