Re: [Danish] Proposed WG Charter
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 21 June 2021 21:08 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C4B3A19BC for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 14:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfwlVXtb5qkW for <danish@ietfa.amsl.com>; Mon, 21 Jun 2021 14:08:37 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F8D23A19AB for <danish@ietf.org>; Mon, 21 Jun 2021 14:08:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id E54E338ABB; Mon, 21 Jun 2021 17:10:08 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id H_vkM8hvBrB0; Mon, 21 Jun 2021 17:10:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0E23A38A77; Mon, 21 Jun 2021 17:10:04 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6A8E65D3; Mon, 21 Jun 2021 17:08:30 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Roman Danyliw <rdd@cert.org>, "danish@ietf.org" <danish@ietf.org>
In-Reply-To: <DM3P110MB05387F1E477021BB812910B2DC0A9@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
References: <YMZwG/l/pne2tHJF@straasha.imrryr.org> <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca> <18269.1623628404@localhost> <DM3P110MB05387F1E477021BB812910B2DC0A9@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 21 Jun 2021 17:08:30 -0400
Message-ID: <26349.1624309710@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/S73JNS_PF2PY8wNNtb-STdkiyVw>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 21:08:42 -0000
I will put the first iteration into: https://github.com/mcr/danish-bof and then my proposed changes, and then editorial around that. I don't feel that I/we have consensus around my rewrite yet, but I'll post about that, and maybe we can agree. Roman Danyliw <rdd@cert.org> wrote: >> -Problem statement > Editorially, it would be helpful to have symmetry between the objective > and the problem statement; and clear delineation between the two > identified problems (this might also be the tee of for naming the two > use cases). I'm not sure I understand what you mean here. Are you saying that the text: } The WG will also use DANE to establish identities for store and forward of } messages using sender identities. [better wording sought] needs to align better? >> The process of establishing trust in public-key-authenticated identity typically >> involves the use of a Public Key Infrastructure (PKI), and a shared PKI root of >> trust between the parties exchanging public keys. A Certification Authority (CA) >> is one example of a PKI which can be used for establishing trust in public keys. >> >> The DNS namespace, together with DNSSEC, forms the most widely-recognized >> namespace and authenticated discovery mechanism on the Internet. >> DANE builds on this authenticated discovery mechanism to enable public key- >> based TLS authentication which is resilient to impersonation, but only for TLS >> server identities. >> >> In response to the challenges related to ambiguity between identities issued by >> different CAs, application owners frequently choose to onboard IoT devices to a >> single private CA specific to that vertical. >> This creates a silo effect where different parts of large deployment can not >> communicate. For instance the heating cooling system of a building can not >> authenticate the lighting control system. >> >> Many IoT deployments use some kind of message bus (for instance MQTT) to >> exchange data, and there is a strong desire to add message-level security >> (MLS) to the objects which are exchanged. While there is TLS for connection >> security, it does not extend to what is communicated and so does not convey >> authority to make a claim, while a MLS would provide that > -- I don't know if I follow all of the use cases so I wondering if it > should it be assumed that there is always TLS for communication > security (i.e., “while there might be TLS in use for connection > security ...”) Yes, that's a reasonable qualification. MQTT doesn't always require TLS. (It's shocking to me) ACE is doing a profile for it. > -- What is meant by “it doesn’t extend to what is communicated”? Is it > that there aren’t end-to-end properties due the middleware/message bus? > Recommend spelling this out. Nothing specific to MQTT: most buses have this property. > -- (Editorial) Recommend avoid the term “claim” as it might be > perceived as overlapping with “claims” from things like OAuth. The attack is that node X says that the temperature is 37C, and X is not a temperature sensor. And here I was worried you'd complain that "claim" conflicted with RATS :-) What term should we use here? They all seem conflcited to me. > -- (Editorial) Recommend avoiding using the term “MLS” (per above, > object security makes more sense), but also because of possible > confusion with the MLS WG. If we are in agreement that it will all become "object security", then good. >> A DNS name is a useful unique identifier to which humans interact with well, >> and which can be used (thanks to DNSSEC and DANE) to attach a key by which >> to authenticate the message sender identity. > This is true, but doesn’t seem relevant to the problem statement. Hmm! This is surprising. I thought that was 90% of the point of the work! >> DANISH will specify the TLS session and message security use cases and an >> architecture describing the primary components and interaction patterns. > Nit. Is a “TLS session” use case the same as DANE-based TLS client > authentication? Recommend consistent use case language. okay. >> DANISH will establish usage conventions for DANE DNS records to represent >> client identity for TLS connections and how to perform public key discovery for >> message security use cases, like the establishment of message sender identity. > -- I’m tripping over the editorial construct here. I think the > sentence should say that the client identity “usage conventions” apply > to both TLS client auth and object security. The discovery mechanism > applies only to the object security use case. agreed. > -- Is the scope more than usage conventions? It seems like it might > include not only the specification of client side credentials but also > (?) the operational practices for using them? I think that the answer is yes, but can you give me an example of an operational practice that we'd be specifying? >> DANISH will coordinate with the TLS working group to define any required TLS >> v1.3 protocol updates required to support client authentication using DANE. >> >> {XXX cross this out? >> DANISH will standardize a protocol and specify operational recommendations >> for the use of Web PKI to authenticate the discovery of private PKI certificates >> and trust chains via DANE DNS record types, in the absence of DNSSEC, in >> support of the message security use case. } >> >> While modifications to the following standards are not within the scope of the >> DANISH charter, the DANISH working group will take care to ensure a potential >> path for interoperability with the following standards, enabling potential future >> work:SMIMEA (RFC 8162), Proxy headers (RFC 7239), IANA email >> authentication headers, and TCP proxy TLVs standardized by haproxy. > Agree with the helpful focused provided by removing of above paragraphs. Thank you, that's very useful. >> -Deliverables: >> DANISH architecture document >> 9 months > Where are the use cases going to be documented? Is this a “DANISH use > case and architecture” doc or do we need two deliverables here (use > case and architecture). No feelings either what on whether one is > better than two. I think you know how it went in RATS, and I think that it's a pattern we should repeat. I can reply to this comment afterwards to explain, as I bet 90% of people stopped reading :-) >> DANE for client certificates (current draft) >> 6 months > “DANE for client certificates” as a designator doesn’t follow for me > from the above text (although I realize that it comes from individual > draft text). Is this the deliverable that also covers getting the > keys for the object use case? Most of the text above generically talks > about client identity but here it's explicitly client certificates (I’d > suggest clarity and consistency) The 1986s ITU-T police are gonna get you for even thinking that identity is other than a certificate :-) :-) :-) Expect them to show up in red Duran Duran jackets. Yes, I think that it includes the object security use case. I guess it should say, "DANE for device certificates" maybe? >> DANE for TLS client authentication (current draft) >> 6 months > Finally, since there are existing drafts > https://datatracker.ietf.org/doc/draft-huque-tls-dane-clientid/ and > https://datatracker.ietf.org/doc/draft-huque-dane-client-cert/, is > there sufficient interest in calling them out as starting points of the > work? I guess that's a consensus question, right? {off to run} -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Paul Hoffman
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Shumon Huque
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] [EXT] Re: Proposed WG Charter Jacques Latour
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Roman Danyliw
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Jacques Latour