Re: [Danish] Proposed WG Charter

Ash Wilson <ash.wilson@valimail.com> Mon, 14 June 2021 22:24 UTC

Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA173A109D for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 15:24:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO7a1eecboM7 for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 15:24:17 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BC963A109E for <danish@ietf.org>; Mon, 14 Jun 2021 15:24:17 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id a15so9770950qtx.13 for <danish@ietf.org>; Mon, 14 Jun 2021 15:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zT9/G3+Ml/LTQD9QNJKTHJ/oOX2OibdklOfU7z5s0PA=; b=RbFPVmjxOm0uR4kJVXZ/FH80Vt1c+giwpc48QCoMUnjzunNtT0hmzuM9V0VTiVJJKe +ijnot+x6imRoUGXUHWdw9sI9UfTbDlQKRnZiUQOHnAEm2lWY0X/JESA5TdPLelYDHN0 NwEeyYq5dWztU2rL1kuiaUYMODkYgr/D1f93mJNyTTotMNQKNHxYdNW4NfWcnF4KgKY7 m8M9oHdnYnp8ee5B4aGTdNrY3DvvWpXkmmloXx+KcNvA+QQffWQsifjh+M1ya6o09cGV ufLyFgxCersdN9Zup24orbJMPuKEsN5XLcgdLYsC0ywEeu8EpKp551kkle9eRpoLEemY 5GdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zT9/G3+Ml/LTQD9QNJKTHJ/oOX2OibdklOfU7z5s0PA=; b=fPitvsMWkCpcdT364cirC6d6f1uC+RF2/Bph1Ds18bFwUKWRYYQ49MW+bvnT4PVoNb wgBTX4yTYiZKhP+MPfmhQZp4aTPFtM7GBcHeyK8IUNiEJ/ufO3ybJA6Jj/nAScXkpdMx Q1a7mfLlJqnZqWRT6RrRTNROftnWK55GzZaxPAnsTL+ZkAiAHi8y+jbo7JPqZ6OyLVjX vCM+ZYQ2akji+iE/toIt+6a/220PBYd8gYjUvxhbHRodliVKGpvdn58Y8jKStA0J1hiF lJ4BY/dgnUjbn9Do9bDSfPfOGJJzW75R+hvJcK9A8n8S5BG25f/nX9bZArzTRObBSWNI ECeA==
X-Gm-Message-State: AOAM531Hc1LeNgnxSIZ686pAZ4OkBk6/aUl9VW9KNMgaHgMMKpIS1P2T 2rbZX5PRmVLHjb7UdFNXF3wA8bR51ftnlAJHvARr2A==
X-Google-Smtp-Source: ABdhPJwMM2y2HbXr9lWHv3mcQY2nzHlVQFxRvXohtFHwRv0zrST+aKGcja4TVQlpglgna6xISPHs3PvQuf667C1dtOE=
X-Received: by 2002:ac8:5b86:: with SMTP id a6mr4200030qta.231.1623709455299; Mon, 14 Jun 2021 15:24:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com> <2920.1623516964@localhost> <CAEfM=vRnLc9PAPiKSY+2UMr6mP_YUBiBHDULB+nRDC3Fv6fUTw@mail.gmail.com>
In-Reply-To: <CAEfM=vRnLc9PAPiKSY+2UMr6mP_YUBiBHDULB+nRDC3Fv6fUTw@mail.gmail.com>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Mon, 14 Jun 2021 15:24:04 -0700
Message-ID: <CAEfM=vTg5QRnnAk4VR5EHTqMrrfNYFkp1mCm-LukrKcpy3_+iw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, danish@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004d4eec05c4c15181"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/L2HD8lCDMLZLXKeuXOttEXPEATo>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 22:24:24 -0000

Failed to reply to all earlier- here's the message back in-channel.

On Mon, Jun 14, 2021 at 10:53 AM Ash Wilson <ash.wilson@valimail.com> wrote:

> Hi Mike,
> Thanks for the feedback, responses in-line below...
>
> On Sat, Jun 12, 2021 at 9:56 AM Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
>
>>
>> Thanks Ash for doing such a good job on this charter.
>> {I appologize for being rather lame in responding to the charter
>> discussions
>> in the past few weeks... some kind of COVID induced mid-life depression
>> around turning 50, and being unable to stay up all night writing code}
>>
>> The charter feels a bit long/detailed I think, with content that maybe
>> belongs in a problem statement draft.... But, if the IESG doesn't mind
>> that,
>> I don't.
>>
>> Some thoughts as I read it again:
>>
>> > but has also
>> > shown that reliance on DNSSEC is a significant barrier to adoption.
>>
>> also:
>> > The greatest barrier to DANE adoption has been the DNSSEC requirement.
>>
>> Reading this, I wonder if we really understand why DNSSEC has been so
>> hard to
>> get deployed among Enterprise entities.  TLDs have done it, because ICANN
>> forced them to.
>> As evidence, we don't need DLV anymore (I was involved in running it, and
>> decommissioning it).  What I'm trying to say/ask: if there in fact some
>> work
>> in understanding this?   An increasing number of DNS Registrars support DS
>> records, and CDS is supposed to make this even easier.
>>
>> Adding DNSSEC to a DNS server seems (to me), *significantly* easier than
>> operating a private CA, but its also apples vs oranges.
>
>
> In conversation with folks outside this group, but related to the topic at
> hand, the general perception is that the benefits of DNSSEC implementation
> do not outweigh the risk-related drawbacks. A few specific drawbacks cited
> have been: an anticipated increase in time to resolve DNS-related issues
> (uptime impact), a need for specialized knowledge in order to troubleshoot
> DNSSEC-related issues (hiring, training, retention), interoperability
> concerns with DNS-based load balancing and CDNs, and a general desire to
> avoid adding complexity that doesn't tie to some sort of competitive
> advantage for the business. This is anecdotal, and only represents the
> conversations I've had in trying to understand the feasibility of creating
> the protocol. A proper survey, perhaps conducted by registrars, would be
> quite useful for understanding and addressing the challenges that are
> impeding DNSSEC adoption.
>
>
>>
>>
>> > This allows for a gradual DANE
>> > adoption where DNSSEC is not in the initial set of requirements.
>>
>> It seems that if we make something that makes DNSSEC less important, that
>> DNSSEC will never become important.
>>
>
> DNSSEC is important. I think that the benefits just aren't overshadowing
> the perceived risks. If DNSSEC is a requirement to even try a DNS-based
> device identity strategy, R&D groups may just seek a path of less
> resistance. Even if an R&D group purchases a separate domain for testing
> with DNSSEC, they still have to sell the idea to the organization's
> technical leadership before it can be adopted under the organizational
> domain. Depending on the organization, that can be a big gamble. The R&D
> group has little room to negotiate the topic of DNS-based device identity
> with technical leadership, without a transitional mode.
>
> If we have a transitional protocol mode which allows gradual adoption,
> enterprises can more easily demonstrate initial success with DNS-based
> identities. The full set of benefits, like direct support in the TLS
> protocol, can only be realized by completing the transition to DNSSEC. It's
> much easier to justify the adoption of DNSSEC if it's tied to increasing
> the success of an existing initiative. We certainly don't want to diminish
> the importance of DNSSEC- this is about incentivizing implementation by
> making it a part of an adoption path for DNS-based identities.
>
>
>> > In response to the challenges related to ambiguity between identities
>> > issued by different CAs, application owners frequently choose to onboard
>> > IoT devices to a single CA. This process of credential issuance can be
>> > time-consuming, which is further exacerbated by the sheer number of
>> > entities participating in large-scale IoT deployments.
>>
>> So I understand why a single CA solves the potential identity confusion.
>> I don't understand why the scale matters here.  That sentence seems almost
>> a non-sequitor.
>>
>
> Each device needing to be onboarded to an organizational PKI takes a
> certain amount of time to establish an identity within that PKI. With a
> large-scale deployment with many thousands of devices, the provisioning
> process can be time consuming and impacts the cost of the project. If a
> supplier ships devices with immediately useful DNS-based identities, then
> the network and application onboarding time can be reduced, which has a
> favorable impact on project cost.
>
>
>> I think that the charter needs to introduce the message use case.
>> Or maybe delegate that more clearly.
>
> Good point. I was trying to keep it concise, but left out some detail
> where it could have been helpful.
>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting
>> )
>>            Sandelman Software Works Inc, Ottawa and Worldwide
>> --
>> Danish mailing list
>> Danish@ietf.org
>> https://www.ietf.org/mailman/listinfo/danish
>>
>

-- 

*Ash Wilson* | Technical Director
*e:* ash.wilson@valimail.com

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.