[Danish] Proposed WG Charter

Ash Wilson <ash.wilson@valimail.com> Sat, 12 June 2021 15:25 UTC

Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAC73A16F8 for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 08:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlnreDlJbVmB for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 737243A16FA for <danish@ietf.org>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
Received: by mail-qv1-xf35.google.com with SMTP id x6so13280557qvx.4 for <danish@ietf.org>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=+uwROYO4BdZWY68vLwdQ5AHzeP28YFutV+aFxaJWdA0=; b=OL9tvM38WEKsBMILBuwxScQQpWnjnQ1L13hdYw7lM1pe2+CWlkdZQ3IF2d/OB8Td14 tK/ZmJVd5qmf5rqf/WRL4zXK0uV48AnLoo//PO6zoVJsJYZAQy9GNKMSN/6Nq+u5r0rp qNL44g6WZkZyEcHTXbBtzSl9/2WilkLwbChi0EdaVep5cnmNy7T0r0rP4PPAYzD0AaVF +vF3y3nNAg+uy0gzsNpdVznntVaUP6Kbg5YBM5t4XVaCBflPvzjV7sUn4A6DT3vr9bD+ YrVmYI8LblL1lc0V66+8NEOzvDGiWLoZZ7Ly45sANrhv31yaRMJgrfv7WquiJlYNO1BE Q3OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+uwROYO4BdZWY68vLwdQ5AHzeP28YFutV+aFxaJWdA0=; b=ThZ8bGM1wul7D+PRQf9KdhD45pvlWXI+ggOcWz6eDaYovS6eJsmi9XB2r2S3rdxn4s 7RJ9lgbpCqDuAIvjwQPLSnHx6h1CJuwRPJUepUf7Nalgd5ymFvw2h5qK5HIEobXRP+Nl 6MCyPFG91S+HQhkVo5henXy1JZKanHGEfmWI3isxnyfqbGIoPVfzXdMv5gC+1QORZPov N33ZbuQAWqikOunCktzfJ/B992XdlIm6K/6iqn8yqr7llxtWyUXtyeW5bQZIiW6N3T/7 YxZDbB35ul6hESLy2hujbBbha66ZRBmJMZ88JAYGFzHsSVJ3Cq6I7Vr4DI2VQXFk983A Rg/Q==
X-Gm-Message-State: AOAM531Vqw/XFNPPWQg+g2gSowuaPL+LQ24a8vcqnCu7SuuiQtvcQahE Ajyz9bKFnOI/cE7NAcF/fmnkIkwgQtToSELKlOyZqZLrk/x+ww==
X-Google-Smtp-Source: ABdhPJx7MGY676ZJjadMG54dfAQs+aICqIU9beVTN+nUm0W2imbt6YyXgx/Zn5loBwEsa2mMF4ly1BboQ75zlzEDYfE=
X-Received: by 2002:a0c:e54c:: with SMTP id n12mr10293189qvm.20.1623511518300; Sat, 12 Jun 2021 08:25:18 -0700 (PDT)
MIME-Version: 1.0
From: Ash Wilson <ash.wilson@valimail.com>
Date: Sat, 12 Jun 2021 08:25:07 -0700
Message-ID: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
To: danish@ietf.org
Content-Type: multipart/alternative; boundary="000000000000565db105c4933b7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/03tYSTrnLVoeDy7KEd_HSUvVgPA>
Subject: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 15:25:26 -0000

Greetings,

This is the final text for the proposed charter. We are seeking support for
the formation of the working group, as well as support for implementation,
adoption, and documentation efforts.

--
-Objective
The now closed DANE working group (WG) produced a mechanism that supported
authentication of TLS server identities via a DNSSEC-secured
infrastructure.  Operational experience with DANE has validated the utility
of a DNS-enabled mechanism for discovering authenticated keys, but has also
shown that reliance on DNSSEC is a significant barrier to adoption.

The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to
extend DANE to encompass TLS client and message sender identities. DANISH
will also define a mechanism for messaging use cases that allows DANE DNS
record types to be secured by the Web PKI as a transition strategy for
domain owners who have not yet implemented a DNSSEC-based trust model.

-Problem statement
The process of establishing trust in public-key-authenticated identity
typically involves the use of a Public Key Infrastructure (PKI), and a
shared PKI root of trust between the parties exchanging public keys. A
Certificate Authority (CA) is one example of a PKI which can be used for
establishing trust in public keys. CAs only guarantee the uniqueness of an
identity’s name within the context of the CA, and multiple CAs may sign
certificates for different entities bearing the same name. DNSSEC is
another PKI, which is bound to the DNS namespace.

The DNS namespace, together with DNSSEC, forms the most widely-recognized
namespace and authenticated discovery mechanism on the Internet. DANE
builds on this authenticated discovery mechanism to enable public key-based
TLS authentication which is resilient to impersonation, but only for TLS
server identities.

The use of CA-based PKI alone for client and message sender authentication
creates the possibility of naming collisions when multiple CAs are trusted
within the same application. In response to the challenges related to
ambiguity between identities issued by different CAs, application owners
frequently choose to onboard IoT devices to a single CA. This process of
credential issuance can be time-consuming, which is further exacerbated by
the sheer number of entities participating in large-scale IoT deployments.

Expanding the use cases for DANE to support the representation of TLS
client and message sender identities will enable unambiguous authentication
across CAs, for client/server TLS sessions as well as message-oriented
information flows.

The greatest barrier to DANE adoption has been the DNSSEC requirement.
DANISH will provide a method of certificate and trust chain discovery for
private PKIs, to enable the messaging security use case, in a manner which
will work securely in the absence of DNSSEC. This allows for a gradual DANE
adoption where DNSSEC is not in the initial set of requirements.

-Scope of work
DANISH will specify the TLS session and message security use cases and an
architecture describing the primary components and interaction patterns.

DANISH will establish usage conventions for DANE DNS records to represent
client identity for TLS connections and how to perform public key discovery
for message security use cases, like the establishment of message sender
identity.

DANISH will coordinate with the TLS working group to define any required
TLS v1.3 protocol updates required to support client authentication using
DANE.

DANISH will standardize a protocol and specify operational recommendations
for the use of Web PKI to authenticate the discovery of private PKI
certificates and trust chains via DANE DNS record types, in the absence of
DNSSEC, in support of the message security use case.

While modifications to the following standards are not within the scope of
the DANISH charter, the DANISH working group will take care to ensure a
potential path for interoperability with the following standards, enabling
potential future work:SMIMEA (RFC 8162), Proxy headers (RFC 7239), IANA
email authentication headers, and TCP proxy TLVs standardized by haproxy.

-Deliverables:
DANISH architecture document
9 months
DANE for client certificates (current draft)
6 months
DANE for TLS client authentication (current draft)
  6 months
DANE Transitional Mode Definition and Operational Guidance (non-DNSSEC)
1 year



-- 

*Ash Wilson* | Technical Director
*e:* ash.wilson@valimail.com

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.