Re: [Dance] [EXT] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
Jacques Latour <Jacques.Latour@cira.ca> Fri, 09 June 2023 13:14 UTC
Return-Path: <Jacques.Latour@cira.ca>
X-Original-To: dance@ietfa.amsl.com
Delivered-To: dance@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E533EC1519B4; Fri, 9 Jun 2023 06:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.076
X-Spam-Level:
X-Spam-Status: No, score=-2.076 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cira.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVtzdfZUv_0q; Fri, 9 Jun 2023 06:13:59 -0700 (PDT)
Received: from CAN01-YT3-obe.outbound.protection.outlook.com (mail-yt3can01on20707.outbound.protection.outlook.com [IPv6:2a01:111:f403:7053::707]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29722C14CE42; Fri, 9 Jun 2023 06:13:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hPYU4TEgTcGVLzjDeMMHrWkqvMj0MlDGVnKY4MaHti0BS/mP02ZJR3Zrv+SQrANyKDH5rdP4wCSq6rh3on4QW4Blm8d/W1QuBhpMZBuAv2WAH8KqZmCCKVFczVzs9VZ8Sl91k+3bJaWDwvJ66M8t679YcNTxRpH/qPKVWv7QCPmpRQwEEnHq5DtqvZTzeYvwzJrcubpRJdbqiqhg9fBHjGctCKbRDVR0fgkZESsloV3TzLqsQ/PDZZ4WTGPrNoF5x7NhrYzBSeZQ3IPMRM08zdo3Zo5R+Bz1eu1CgMFX2xxEO+xClwQSbG9+5M5H+MNWPWj2tfiSi2QTD1DqPksUGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D/7rE0JJwjdMVLjbDWFOM5pb7mY37R2aewccKOVCyIs=; b=Gg/Unsim92mSAcYSkWztulw1hc09VUsf2JiCAo6E8Q8NYaEXfCbIkrFX0MwCcVRVVp5ocACQcPiiHrdkSdFas+GXKAKTZnW0dZaQJYXsz8GpM9JSGsFzKF3QFaycWB5scEoMhzD0XtJDnNAHSDK/A30YPCxnREyUcsYn13pdVpNQR2Y89ZVpgajVw3awBYum/ojCwxLRjrjaKjZCI0GWr4dnIKIOuXVI6TuIZb2bXvMOFwu5neYXkz5rRuN0/R6EdlOExHRBZ0OE98D1EFW4lBomEUzYEl509/HO7NiuytqZEWdBU8ZisZZCCVdPvkziC45cx7vOS4Niy2xZ4yIEpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cira.ca; dmarc=pass action=none header.from=cira.ca; dkim=pass header.d=cira.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cira.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D/7rE0JJwjdMVLjbDWFOM5pb7mY37R2aewccKOVCyIs=; b=W+rimLPBO31Hpwv48NDJiOxuJRYABex0M6jcY8OcAg3Drxyzkoe4q6Qb36doq16Su4lngt9qTxeiQqeboQiapOO4VUPleQH+qzN3oassJaOCHh8CeRlG/4z8aCXm9+M5J1C/znyjS3p6CfQDA/wssk3o/1wIbe8PDWZmesKTxAygnN3iLOlhi2bD78x6ZkZZNSnOXftYR3ay03ix1XlRz0ACcp4Uayl5g83wwbV33tJCtOeQVhHzu8NtWBmeYTnimk8gLehLBITLnzr+moycr4uvKI+SFuHPgmvvXxCiH4PtySuK7j+i4ezv5J8HTt3SukFEmK9woDFEFbWcTn7MPw==
Received: from YT2P288MB0252.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:f1::16) by YT2P288MB0059.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:f2::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.42; Fri, 9 Jun 2023 13:13:55 +0000
Received: from YT2P288MB0252.CANP288.PROD.OUTLOOK.COM ([fe80::fd46:42c:5534:b322]) by YT2P288MB0252.CANP288.PROD.OUTLOOK.COM ([fe80::fd46:42c:5534:b322%7]) with mapi id 15.20.6455.034; Fri, 9 Jun 2023 13:13:55 +0000
From: Jacques Latour <Jacques.Latour@cira.ca>
To: Orie Steele <orie@transmute.industries>, "dance@ietf.org" <dance@ietf.org>
CC: "uta@ietf.org" <uta@ietf.org>, scitt <scitt@ietf.org>, Mathieu Glaude <mathieu@northernblock.io>, Jesse Carter <Jesse.Carter@cira.ca>
Thread-Topic: [EXT] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
Thread-Index: AQHZmhz/oSZDiFicvE2rG1DOazzhEK+CZ85b
Date: Fri, 09 Jun 2023 13:13:55 +0000
Message-ID: <YT2P288MB025264AA5242AA7908096DED8A51A@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM>
References: <CAN8C-_KcJ8G+QX99SA859N=oS8-cXqziy-WwovV7jUS6GM29EQ@mail.gmail.com>
In-Reply-To: <CAN8C-_KcJ8G+QX99SA859N=oS8-cXqziy-WwovV7jUS6GM29EQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cira.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YT2P288MB0252:EE_|YT2P288MB0059:EE_
x-ms-office365-filtering-correlation-id: 1a5caa1d-7818-4f8c-6405-08db68eb60c2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YQw6O+dqdpjVv6DhRbU+sgA0Nzx/Ey1wWujAtKFLKxIfnvn1AfwFc5WPd87gnzubVdYgRK1syELAE00RR3SOmAKpF3K5v46GcCTkIAjAsQ+Gj6sqfCR+qcRmB+y1gFG6/iHyPYP9fZfK0EGX8uis5Kq24h4v+fVXZXmxGCaC7PbO1FoLQyT2mcB1OK9r5nKVIwYc0vH+zWmw24c2Vv4wCtyQk0SJhFNV8IiRY7lBZrP4xC8emKEf4+OVW30j7TgyDO2l2KqtxvrhD0SngU6xvzKaphLNsFMrOZCQZCnOaBqSYxkIiFsab4Vys8BpzOH7XOXABW6Rt5PZzfyW/mKd4oHR/Zfw5kQMfd34lI48p7HjIkFSEw8qn+hDTpCu75I17Cp2QvqGsd0SPA6uXP22YhXbJH8iFAxHqd2GjR5oXPUO5eISMKINRvqWbUdGOWmKC/vbWj+5F6phejAqD+pkn4ZfrOsEn8oMVpZYVeXAzZmGW8WyeQqtv2xjK2+5Om4G0teJBzeR6sGZpo3zudLuxAiiR7fSTvwEVdu99rrioDjlHh8Szyoz31PTOgJYTzuqGukRLEMYYJGnL8CHTv/I8e6xNv/yIFXod9vr+9kvmH25xciy0XXHfTNV/P2HdzZXe/cioy0ZpDR3qlQiEWMPhw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YT2P288MB0252.CANP288.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(376002)(346002)(366004)(136003)(396003)(39850400004)(1690799014)(451199021)(55016003)(110136005)(54906003)(122000001)(478600001)(8936002)(8676002)(4326008)(76116006)(66946007)(66476007)(64756008)(316002)(66556008)(38100700002)(41300700001)(66446008)(186003)(83380400001)(966005)(7696005)(71200400001)(107886003)(9686003)(26005)(53546011)(5660300002)(6506007)(33656002)(86362001)(166002)(21615005)(52536014)(38070700005)(2906002)(19627405001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tPuCpvFFiyocLck1DGoB9Pcc2l7vBlT8rQQfprzIubZ0gqgvGoA0QdhffxrT/jLqoyQtulEvew4i2K4x4S6GYD0JVhA4rcBjg8E9Bvr/+RyMqGsaL/pUdXEBgEfJU9qznSPGvF/AXUNgCcqrPVa2tuQxYxH8wETXZqS70vvekhnqCXdyFF6f7T7LS7fOD3h0qTDXGDzTljYHHFwBymmnZ7TWd9iHvXUCoBWOhGwYmSEfKG8+bzR917V+wFmibcVVJJlruNbJGDkGtmMUJUmj3pN6ew+rsqUY+I6mMPL1k7INi573k+h4z8/BCA3VHxSpBELkKRhVrftUrNHHOHJJ3FlAzF12eLxRvJJpAYKbrPHvCDKjOHkVHREawyhyowpeJkArUHMpHn8ejn0DYNAbF2Pu3CmoYs3V5tsoTrvn6+UPG70IYJa8J2/eioZqNRfHtx8yaATxU3oJAG14Pko/dRf3TIW+YJ43euUcPgoK5mX26vozGSoU+mUtUCw9YF3GFaqHxmqqG5o/6XuBLvFxWOUIeQQWe48nHr6BB9i7R1Q08nxKAAl+TpS+6VJFbrzOxPBSGk2NNtoqCvsAFUuQl2P6C4+UpE5ICh5CYQGfcuPkUsEiuSeoAuZVCfKCD0Ow+aq4H10C7lCAJV09IaHOojaef2D6ZQbjL3YITvjL8krsicfLolzKev0OMp5HPNVJjmfhSw4+fpLjq5/X9Sml6wLEAc68Nht70Xfnf2Qw/slc7IzhY2V+KYLxYTjDkmVsniGCsQ61aqF/vZo+kJMg7tGB8MNfI7moMkMPRhyk4MeyC+pl5yPTQTagXOF18/THeXI+1XhilkN4yA3gdK7RfUhE8kcShY8qJVrb3n/uWbi+6Izb+/wRwBWFKMaQQI6Fug8RFNYDq6M65czLSus44kR+xi5KWZ7wSbRQvuNB4+Y7my0eeTns9Amdo+832RRM0es0B27Bio01tIov68IcyZF6FZaX/AHKJ41XYAOcc8uVoc6FACM3lJjP/9cn9gvMEw2Nc9tXTyUPS6FIm+QtQaQrWomKCEPbeVYv9Q89orq3Izxl3Kpf4nN6Q9eL2hcmpVWzPm+vB1LN9BZVam9XrjTzvYmk+dO6SrF8a6fjCHo1lBSHjOanMb3Ai4bE6cNNCSLyauSwl8vBWH+G/fJwtsv0bbfd95HqobLNTcGqQ1wOwZX8AD4wsAzlLB0E/3BtxVhf2YcFFHQQsbmEn1+m7QaWNDiOvKJ9DbRDF7UgvY/KjHFNKJVwPgQU6B62d0/yI5PzAA5YXP57z2Lnv6SSLNKeN0m2gRsCi0qcF1ydg9i/SeMTQ0GYBaUIVJdTkLJSMtn1QHTykCQqTkbAm7vsuovghpiD8c65HbxtYMkJea7fFJb61CsDsvWBf3iVrcDNEb5fbB1j4WhtrYZqZzQNOXAHbnBFTe4zAOdc8YRx6k00BoFlXR7nuw1uVpgfBkVW3Nf1rcznkErnDxRUIV8cMUu1q2hNAXR9qQrYCc35RGOdd7C1I9o9U2LfQjz0e6GRoElNDj02iovHZ0dnBfb+ELiM5WQ+rJ/LOkfemJGe7rUiFJxvCLgNOkGSVhCSTZmd
Content-Type: multipart/alternative; boundary="_000_YT2P288MB025264AA5242AA7908096DED8A51AYT2P288MB0252CANP_"
MIME-Version: 1.0
X-OriginatorOrg: cira.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT2P288MB0252.CANP288.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a5caa1d-7818-4f8c-6405-08db68eb60c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2023 13:13:55.2803 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f349b30c-7550-4f17-88da-269417631f54
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mAblCLaw88oZNpjlDCCPwYXE10aDfnfVgdY2sLQy9SoOx3gNcZPSCUOsPYq8Evdh5pXumT6Rkf8kME9bVVNiOQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT2P288MB0059
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/zo8yWsQl-q8VIG6gLtd2sYMzrgo>
Subject: Re: [Dance] [EXT] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries
X-BeenThere: dance@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dance>, <mailto:dance-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance/>
List-Post: <mailto:dance@ietf.org>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dance>, <mailto:dance-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 13:14:04 -0000
Orie, ATDT555-1212 - was my first thought 🙂 but I like what I read on Bluesky and the AT protocol, it's different but related worlds and I think there could be some synergies, I don't see any mention of DNSSEC usage in the AT protocol? example-issuer.ca plays the role of the verifiable digital credential DC issuer. Like a university or a gov driver's license department that issues different forms of DCs.        issuer A role an entity<https://www.w3.org/TR/vc-data-model/#dfn-entities> can perform by asserting claims<https://www.w3.org/TR/vc-data-model/#dfn-claims> about one or more subjects<https://www.w3.org/TR/vc-data-model/#dfn-subjects>, creating a verifiable credential<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> from these claims<https://www.w3.org/TR/vc-data-model/#dfn-claims>, and transmitting the verifiable credential<https://www.w3.org/TR/vc-data-model/#dfn-verifiable-credentials> to a holder<https://www.w3.org/TR/vc-data-model/#dfn-holders>. So with TLSA records, standard labels and URI/PTR (whatever scheme we decide to use) and DNSSEC, trust of issuers can be asserted. The I-D is about finding trust registry relationships in the DNS, for global interoperability of different ecosystems. In your example below, it's _atproto.wyden.senate.gov, I think it's the "end user" direct AT protocol credential DID and information, not the same thing.... more research/reading required. a TXT record pointing to a DID which returns : _atproto.wyden.senate.gov. 10777 IN TXT "did=did:plc:ydtsvzzsl6nlfkmnuooeqcmc" where does on go to resolve a DID:PLC? is the DID for the user "wallet" or the "account"? More reading required, Jack ________________________________ From: Orie Steele <orie@transmute.industries> Sent: Thursday, June 8, 2023 11:21 AM To: dance@ietf.org <dance@ietf.org> Cc: Jacques Latour <Jacques.Latour@cira.ca>; uta@ietf.org <uta@ietf.org>; scitt <scitt@ietf.org> Subject: [EXT] Re: Leveraging DNS in Digital Trust: Credential Exchanges and Trust Registries You don't often get email from orie@transmute.industries. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Original thread: https://mailarchive.ietf.org/arch/msg/dance/g0eSMxmZzb1ucsFtgkVkICV5Hh8/ I read https://www.ietf.org/archive/id/draft-latour-dns-and-digital-trust-00.html Previously I had read: - https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/ - https://identity.foundation/.well-known/resources/did-configuration/ (I'm co-author) I don't understand the role that "example-issuer.ca<http://example-issuer.ca>" is playing in these records. Why is there a need to structure the record "key" to include CA information? Is https://datatracker.ietf.org/doc/draft-ietf-uta-rfc6125bis/ relevant to this conversation? I wanted to share some related work, from BlueSky: They support linking https://www.w3.org/TR/did-core/ to specific domains, this allows for the natural control of a domain to be used to establish the natural authority of an identifier, For example: dig -t txt _atproto.wyden.senate.gov<http://atproto.wyden.senate.gov> | grep 'did=' | grep -o '"did=.*"' | jq -r 'split("=")[1]' https://github.com/w3c/did-spec-registries/pull/515 I would like to see a standard way to link decentralized identifiers to domains documented somewhere at IETF. Including UTA & SCITT in case there are folks with relevant comments. Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries [https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries>
- Re: [Dance] Leveraging DNS in Digital Trust: Cred… Orie Steele
- Re: [Dance] [SCITT] Leveraging DNS in Digital Tru… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Jacques Latour
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Antoine Delignat-Lavaud
- Re: [Dance] [SCITT] [EXTERNAL] Re: Leveraging DNS… Dick Brooks
- Re: [Dance] [EXT] Re: Leveraging DNS in Digital T… Orie Steele
- Re: [Dance] [EXTERNAL] Re: [SCITT] Leveraging DNS… Orie Steele