IETF Logo Mail Archive

Re: [Danish] Application-Independent Client Identity through DANE

Ash Wilson <ash.wilson@valimail.com> Wed, 14 April 2021 18:47 UTC

Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60FD23A1B4E for <danish@ietfa.amsl.com>; Wed, 14 Apr 2021 11:47:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIHwLKSdCSs7 for <danish@ietfa.amsl.com>; Wed, 14 Apr 2021 11:47:29 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E59F3A1B4D for <danish@ietf.org>; Wed, 14 Apr 2021 11:47:29 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id i11so4913481qvu.10 for <danish@ietf.org>; Wed, 14 Apr 2021 11:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MnGFi7YJHgB+rn63ICZxYpCPEql3aofQapmS7FNbiEA=; b=MtYwwSWmuoycPCRfnFxo/xISsaW0uCF0k4b2jWL5ELV9xakFZYzRW68BxaGglbEd4E CW49zlrS054cleyR+uOpJPzxy+3iJTBeZS2+2409Cac69Lqb95dd14wYGPK5vj7xYQYV E0znT/vTQFBvm9iscYmOjT4/HKQzyMm5h0VXMA/5kIXqsYa7mlgdr7z7ijPPlRlODcU6 goBHzkLhVy/EMQEDRrpWt4BFvFCBJD5kkbv9Lzl2YNZBdFtvrZBM4alYMKRom2nKy9dC zwgDv/nlUAqYErXbMA70v0xBsNxtcmYru5TWYaILVMpMFwmKoO+29/foV1IHtwCh0ukt OSRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MnGFi7YJHgB+rn63ICZxYpCPEql3aofQapmS7FNbiEA=; b=OClSkqCLYZVYU/siC5PfHf8LXip+WbECxDT1Jf5NL/bqZZyJMHUWkojsvh/poLqosu xpLph25hKbu81RvZEHzpOlvWCdrFifFfK7uMf4Yo9HJjxCkT3tsw7+ESH4lm7rrzkWs9 nCg091nvnUr4SxVrYbn4xgWoho0gKATPNC/HnEbSb1E0EUwyNLO79FnTXBmAA12vwE+D A2Z00hwcmSfjSEjGit/GggOyWMYR32f8x/MQMFqlJwPeoHQNaiULX0V+fPG4ZDJWOJdE olPh1hsdS8fLL+NsM77+hfNj5Jv9W3OonXKTRmmjjV1UelnrllrizfNKckQzv7sbgvKE 63CA==
X-Gm-Message-State: AOAM530xXlGRBgdDrxQNPP4V6A52BAriNPQSwTtiLGvnFvfuRv7UQIUg uOGp3d0L50vplmJy9yxY1mggJ58aNsupRSAPkg0ZwV2wGzQ=
X-Google-Smtp-Source: ABdhPJw5Ku3EDjed0ma/aeOJFnrfeQC8o0A1AcDp/i5ncyAVf/vFeeGLtSfDXd7EpVmgaQsZbHnXKDgPbCiowzXqxwE=
X-Received: by 2002:a0c:9e17:: with SMTP id p23mr26323348qve.7.1618426047249; Wed, 14 Apr 2021 11:47:27 -0700 (PDT)
MIME-Version: 1.0
References: <60658198.2070902@openfortress.nl> <6066BAC6.2000801@openfortress.nl> <CAEfM=vRqHyWttEErG1xqAPkci=r+0ZMoNjkpT1Tv0dGFvkza=A@mail.gmail.com> <60680D1F.8060004@openfortress.nl> <CAEfM=vSwJ5MjD7HKFuAyineW5DD+MzM2wcdAztdhsQw1jbS8QQ@mail.gmail.com> <606C25C5.1000105@openfortress.nl>
In-Reply-To: <606C25C5.1000105@openfortress.nl>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Wed, 14 Apr 2021 11:47:16 -0700
Message-ID: <CAEfM=vT2ZuPY_=Sq6qbs1jEv=E7h8LpnvF6A0-k_G9RxxzQMog@mail.gmail.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: danish@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a4527c05bff32d9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/6TjXkzyaUzTJP6J9Quicd0qsywE>
Subject: Re: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 18:47:34 -0000

Hi Rick,
Sorry to keep you waiting on a reply.
I agree with you that we will need a registry of identity grouping
labels, if the construct does not fit within another existing registry.

The use case for discovering CA certificates makes sense to me, and with
such a mechanism, you can simplify the use of private PKI for establishing
TLS sessions. Having an underscore label representing the client identity
type, immediately to the left of the identity grouping label, could fit for
generic discovery of CA certificates via TLSA records, secured by DNSSEC.
This sounds like it would require a change in how TLS works, and for this
case we will also need a registry of client identity types. But I think
this might work, and it doesn't necessarily need to carry the complexity of
the PKIX-CD discovery pattern as long as you have DNSSEC configured for
your zone.

What are your thoughts on signing and encryption for object security use
cases? How do you see entity certificate discovery happening?

-Ash

On Tue, Apr 6, 2021 at 2:11 AM Rick van Rein <rick@openfortress.nl> wrote:

> Hello Ash,
>
> > This is interesting. So, let me summarize what I understand so far: this
> > provides a way of conveying an organization's CA so that any sub-identity
> > may be authenticated without explicitly creating a record for every
> > sub-identity in DNS. Is my understanding correct?
>
> Yes.  Although I barely focus on finding certificates, as I am assuming
> a rich user or server environment.  It's interesting though.
>
> The central idea is to trust a domain on the basis of (root or
> intermediate) CA certificates in DANE; they might be stored or hashed in
> DNS.
>
> > Here's an overlap (maybe): In the PKIX-CD draft (
> > https://datatracker.ietf.org/doc/draft-wilson-dane-pkix-cd/) we present
> a
> > method by which an authenticating entity may use the EE's DNS name and
> AKI
> > (both found in the certificate) to construct a URL for discovering the CA
> > certificate.
>
> That is an interesting idea, and perhaps not specific to client DANE.  I
> would venture to guess that it solves a general problem, possibly even
> of finding a root CA that may be solely trusted on grounds of DANE.  I
> was lazily proposing to put whole certificates into DNS, perhaps even
> for intermediate CAs.
>
> > Even if you don't publish the EE certs for DNS-based identities in DNS,
> you
> > can still use DNS to discover the trust chains. You can still get the DNS
> > name or email address out of the presented certificate and use that with
> > the AKI to construct a URL where the intermediate certificate that can
> > verify the EE certificate should be found.
>
> Yes.  This is also a way to get away from a large-but-limited set of
> well-known CAs, so it might help in applications that are more diverse,
> such as a domain-local CA or even peer-to-peer networks that employ DNS.
>
> > If this pattern works for your use case, then you'll have some
> > cross-compatibility for other use cases, where we do need the certificate
> > to be discoverable in DNS (object security use cases) as well as having a
> > sort of transitional mode between traditional PKI and DANE for
> > authentication, both hinging around DNS names for entities.
>
> I think it *almost* works.
>
> Your "_device" is an example of an identity grouping label, but it is
> not clear to me if this is something that is formally registered or a
> local network choice.
>
> When formally registered, a specification could be attached that defines
> the semantics of that name.  As a consequence, it would be possible to
> visit completely foreign domains for the first time to discover what
> their certificates are saying.  The shared semantics are the pivotal
> point here; applications need to know what they can assume when they
> find such a label.  This is a reason why SRV records work so well, yet
> are flexible for new specifications to adopt.
>
> It would be possible to make a choice to trust only configured domains
> to set a configured _label.  Then, anyone can add names without
> formalities, but a label _client-identity would not have necessary
> meaning; the domain owner would not be expressing anything but data,
> with no necessarily implied meaning.  So this idea of registered naming
> is vital to the idea of Realm Crossover.
>
> The ideas of with/without semantics can both be used with a _label that
> says "make no assumptions, unless you were configured to look underneath
> this one".
>
> Can you elaborate on that please?
>
>
> Cheers,
>  -Rick
>


-- 

*Ash Wilson* | Technical Director
*e:* ash.wilson@valimail.com

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email