Re: [Danish] revised charter text from Tuesday morning
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 26 June 2021 19:08 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D7AA3A005D for <danish@ietfa.amsl.com>; Sat, 26 Jun 2021 12:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_9Olz7EP204 for <danish@ietfa.amsl.com>; Sat, 26 Jun 2021 12:08:20 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2ED63A005C for <danish@ietf.org>; Sat, 26 Jun 2021 12:08:20 -0700 (PDT)
Received: from smtpclient.apple (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 9EDA8CD560 for <danish@ietf.org>; Sat, 26 Jun 2021 15:08:19 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <17670.1624372831@localhost>
Date: Sat, 26 Jun 2021 15:08:19 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: danish@ietf.org
Message-Id: <2F9979ED-0400-4E71-A7D1-F49919004C6F@dukhovni.org>
References: <17670.1624372831@localhost>
To: danish@ietf.org
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/4fGE9mZJxjwukN9TP15YYzAT0Dw>
Subject: Re: [Danish] revised charter text from Tuesday morning
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jun 2021 19:08:25 -0000
> On 22 Jun 2021, at 10:40 am, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > The process of establishing trust in public-key-authenticated identity > typically involves the use of a Public Key Infrastructure (PKI), and a > shared PKI root of trust between the parties exchanging public keys. A > Certification Authority (CA) is one example of a PKI which can be used for > establishing trust in public keys. I don't think it is correct to conflate a CA with a PKI. A PKI is an ecosystem, that consists of some mixture of: * Relying parties * Key holders * Certification authorities * Registration Authorities * CRL distribution services * OCSP services * CT logs? * ... A CA's public key (or the associated certificate) can be a trust-anchor in a PKI, but is not in itself a PKI. > The DNS namespace, together with DNSSEC, forms the most widely-recognized > namespace and authenticated discovery mechanism on the Internet. This rather lacks context and looks poorly framed to me. Why are we suddenly talking about "discovery". DNS is a distributed directly (lookup) service, it is not a "discovery" mechanism, even if some "discovery" mechanisms happen to leverage DNS at some point. DNS is the largest (only) Internet-wide federated namespace. DNSSEC provides end-to-end integrity for DNS, obviating the need to trust intermediate caches. DNSSEC also makes it possible to securely publish the public keys or certificates of (DNS) named entities. > DANE builds on this authenticated discovery mechanism to enable public key-based > TLS authentication which is resilient to impersonation, but only for TLS > server identities. DNS is not a discovery mechanism. DANE makes it possible to securely look up the public key or certificate (in full or a digest) associated with a (DNS) named entity. In the case of TLS, DANE presently only defines naming for server endpoints. > What DANE did not define is how services can authenticate connecting clients. There is presently no standard definition of client identity names, nor how a client would communicate its DNS name to a server in a given protocol. > In response to the challenges related to ambiguity between client identities issued > by different CAs, application owners frequently choose to onboard IoT devices > to a single private CA specific to that vertical. All mention of "ambiguity" needs to go. It is misleading and not the real issue at hand. The problem is not "ambiguity". The relevant concerns are: * Need for global names. If the relying party is not also the owner/operator of a private PKI, but rather relies on a global PKI, then of course the names being authenticated need to be global (e.g. DNS names). * Need to scope trust. In many applications it is not acceptable to trust client identities issued by all the various CAs of the WebPKI. Ambiguity is not relevant, and fails to capture the key issues. -- Viktor.
- [Danish] revised charter text from Tuesday morning Michael Richardson
- Re: [Danish] revised charter text from Tuesday mo… Wes Hardaker
- Re: [Danish] revised charter text from Tuesday mo… Ash Wilson
- Re: [Danish] revised charter text from Tuesday mo… Shumon Huque
- Re: [Danish] revised charter text from Tuesday mo… Viktor Dukhovni
- Re: [Danish] revised charter text from Tuesday mo… Michael Richardson
- Re: [Danish] revised charter text from Tuesday mo… Viktor Dukhovni
- Re: [Danish] revised charter text from Tuesday mo… Wes Hardaker