[Danish] Proposed WG Charter
Ash Wilson <ash.wilson@valimail.com> Sat, 12 June 2021 15:25 UTC
Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EAC73A16F8 for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 08:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlnreDlJbVmB for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 737243A16FA for <danish@ietf.org>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
Received: by mail-qv1-xf35.google.com with SMTP id x6so13280557qvx.4 for <danish@ietf.org>; Sat, 12 Jun 2021 08:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=+uwROYO4BdZWY68vLwdQ5AHzeP28YFutV+aFxaJWdA0=; b=OL9tvM38WEKsBMILBuwxScQQpWnjnQ1L13hdYw7lM1pe2+CWlkdZQ3IF2d/OB8Td14 tK/ZmJVd5qmf5rqf/WRL4zXK0uV48AnLoo//PO6zoVJsJYZAQy9GNKMSN/6Nq+u5r0rp qNL44g6WZkZyEcHTXbBtzSl9/2WilkLwbChi0EdaVep5cnmNy7T0r0rP4PPAYzD0AaVF +vF3y3nNAg+uy0gzsNpdVznntVaUP6Kbg5YBM5t4XVaCBflPvzjV7sUn4A6DT3vr9bD+ YrVmYI8LblL1lc0V66+8NEOzvDGiWLoZZ7Ly45sANrhv31yaRMJgrfv7WquiJlYNO1BE Q3OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+uwROYO4BdZWY68vLwdQ5AHzeP28YFutV+aFxaJWdA0=; b=ThZ8bGM1wul7D+PRQf9KdhD45pvlWXI+ggOcWz6eDaYovS6eJsmi9XB2r2S3rdxn4s 7RJ9lgbpCqDuAIvjwQPLSnHx6h1CJuwRPJUepUf7Nalgd5ymFvw2h5qK5HIEobXRP+Nl 6MCyPFG91S+HQhkVo5henXy1JZKanHGEfmWI3isxnyfqbGIoPVfzXdMv5gC+1QORZPov N33ZbuQAWqikOunCktzfJ/B992XdlIm6K/6iqn8yqr7llxtWyUXtyeW5bQZIiW6N3T/7 YxZDbB35ul6hESLy2hujbBbha66ZRBmJMZ88JAYGFzHsSVJ3Cq6I7Vr4DI2VQXFk983A Rg/Q==
X-Gm-Message-State: AOAM531Vqw/XFNPPWQg+g2gSowuaPL+LQ24a8vcqnCu7SuuiQtvcQahE Ajyz9bKFnOI/cE7NAcF/fmnkIkwgQtToSELKlOyZqZLrk/x+ww==
X-Google-Smtp-Source: ABdhPJx7MGY676ZJjadMG54dfAQs+aICqIU9beVTN+nUm0W2imbt6YyXgx/Zn5loBwEsa2mMF4ly1BboQ75zlzEDYfE=
X-Received: by 2002:a0c:e54c:: with SMTP id n12mr10293189qvm.20.1623511518300; Sat, 12 Jun 2021 08:25:18 -0700 (PDT)
MIME-Version: 1.0
From: Ash Wilson <ash.wilson@valimail.com>
Date: Sat, 12 Jun 2021 08:25:07 -0700
Message-ID: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
To: danish@ietf.org
Content-Type: multipart/alternative; boundary="000000000000565db105c4933b7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/03tYSTrnLVoeDy7KEd_HSUvVgPA>
Subject: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 15:25:26 -0000
Greetings, This is the final text for the proposed charter. We are seeking support for the formation of the working group, as well as support for implementation, adoption, and documentation efforts. -- -Objective The now closed DANE working group (WG) produced a mechanism that supported authentication of TLS server identities via a DNSSEC-secured infrastructure. Operational experience with DANE has validated the utility of a DNS-enabled mechanism for discovering authenticated keys, but has also shown that reliance on DNSSEC is a significant barrier to adoption. The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to extend DANE to encompass TLS client and message sender identities. DANISH will also define a mechanism for messaging use cases that allows DANE DNS record types to be secured by the Web PKI as a transition strategy for domain owners who have not yet implemented a DNSSEC-based trust model. -Problem statement The process of establishing trust in public-key-authenticated identity typically involves the use of a Public Key Infrastructure (PKI), and a shared PKI root of trust between the parties exchanging public keys. A Certificate Authority (CA) is one example of a PKI which can be used for establishing trust in public keys. CAs only guarantee the uniqueness of an identity’s name within the context of the CA, and multiple CAs may sign certificates for different entities bearing the same name. DNSSEC is another PKI, which is bound to the DNS namespace. The DNS namespace, together with DNSSEC, forms the most widely-recognized namespace and authenticated discovery mechanism on the Internet. DANE builds on this authenticated discovery mechanism to enable public key-based TLS authentication which is resilient to impersonation, but only for TLS server identities. The use of CA-based PKI alone for client and message sender authentication creates the possibility of naming collisions when multiple CAs are trusted within the same application. In response to the challenges related to ambiguity between identities issued by different CAs, application owners frequently choose to onboard IoT devices to a single CA. This process of credential issuance can be time-consuming, which is further exacerbated by the sheer number of entities participating in large-scale IoT deployments. Expanding the use cases for DANE to support the representation of TLS client and message sender identities will enable unambiguous authentication across CAs, for client/server TLS sessions as well as message-oriented information flows. The greatest barrier to DANE adoption has been the DNSSEC requirement. DANISH will provide a method of certificate and trust chain discovery for private PKIs, to enable the messaging security use case, in a manner which will work securely in the absence of DNSSEC. This allows for a gradual DANE adoption where DNSSEC is not in the initial set of requirements. -Scope of work DANISH will specify the TLS session and message security use cases and an architecture describing the primary components and interaction patterns. DANISH will establish usage conventions for DANE DNS records to represent client identity for TLS connections and how to perform public key discovery for message security use cases, like the establishment of message sender identity. DANISH will coordinate with the TLS working group to define any required TLS v1.3 protocol updates required to support client authentication using DANE. DANISH will standardize a protocol and specify operational recommendations for the use of Web PKI to authenticate the discovery of private PKI certificates and trust chains via DANE DNS record types, in the absence of DNSSEC, in support of the message security use case. While modifications to the following standards are not within the scope of the DANISH charter, the DANISH working group will take care to ensure a potential path for interoperability with the following standards, enabling potential future work:SMIMEA (RFC 8162), Proxy headers (RFC 7239), IANA email authentication headers, and TCP proxy TLVs standardized by haproxy. -Deliverables: DANISH architecture document 9 months DANE for client certificates (current draft) 6 months DANE for TLS client authentication (current draft) 6 months DANE Transitional Mode Definition and Operational Guidance (non-DNSSEC) 1 year -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Paul Hoffman
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Shumon Huque
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] [EXT] Re: Proposed WG Charter Jacques Latour
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Roman Danyliw
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Jacques Latour