IETF Logo Mail Archive

Re: [Danish] Application-Independent Client Identity through DANE

Rick van Rein <rick@openfortress.nl> Tue, 06 April 2021 09:12 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4B23A1822 for <danish@ietfa.amsl.com>; Tue, 6 Apr 2021 02:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZWT3N30iF3o for <danish@ietfa.amsl.com>; Tue, 6 Apr 2021 02:12:02 -0700 (PDT)
Received: from lb2-smtp-cloud7.xs4all.net (lb2-smtp-cloud7.xs4all.net [194.109.24.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05BC3A1825 for <danish@ietf.org>; Tue, 6 Apr 2021 02:11:59 -0700 (PDT)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud7.xs4all.net with ESMTP id ThkXlGq38MxedThkYlBtw2; Tue, 06 Apr 2021 11:11:54 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1617700304; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=ObX/goqvo2mBMqy+CfIDiT087rXOnOyHT7/bOgngxxk=; b=j8bpIDYqxuadM0I2HDO6d94ERk9VXjTbJiJi9Fza1q4vgMq66tRDov2e T0Xb51luVmmV5SZ7jvx/qcPVTnWYWWjEntRR1dddONTsE75LUsJMZ1Yj5b 7iUx25UtYC9Q6MWCbXM5k3CA1xVGLAdif5JuuF9wPBlR+CuFkPSQfp8Ms=
Received: by fame.vanrein.org (Postfix, from userid 1006) id ABBED501C1; Tue, 6 Apr 2021 09:11:36 +0000 (UTC)
X-Original-To: danish@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 04B66501BE; Tue, 6 Apr 2021 09:11:35 +0000 (UTC)
Message-ID: <606C25C5.1000105@openfortress.nl>
Date: Tue, 06 Apr 2021 11:11:33 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Ash Wilson <ash.wilson@valimail.com>
CC: danish@ietf.org
References: <60658198.2070902@openfortress.nl> <6066BAC6.2000801@openfortress.nl> <CAEfM=vRqHyWttEErG1xqAPkci=r+0ZMoNjkpT1Tv0dGFvkza=A@mail.gmail.com> <60680D1F.8060004@openfortress.nl> <CAEfM=vSwJ5MjD7HKFuAyineW5DD+MzM2wcdAztdhsQw1jbS8QQ@mail.gmail.com>
In-Reply-To: <CAEfM=vSwJ5MjD7HKFuAyineW5DD+MzM2wcdAztdhsQw1jbS8QQ@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4xfA73J8imm/k/z/P83Dcd3Q23Q6VxbYA5nuqIeAUBJa6yV9wQGVWq2YamlNETfbg3BcRs7GrDSRkwkdRzL6dGC1s0SCSK0tkWycDt4yH6RmoV5Woh93zm gXjEY/hgH4DXajA/fJwwFZtCb36g5L7I985dD8NVmHhywVFDfsb4id8vGcaWiQY8fXw67q9LQyE3RQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/THP9_tX_y3CTuNWFFgkGUVz6lM4>
Subject: Re: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 09:12:07 -0000

Hello Ash,

> This is interesting. So, let me summarize what I understand so far: this
> provides a way of conveying an organization's CA so that any sub-identity
> may be authenticated without explicitly creating a record for every
> sub-identity in DNS. Is my understanding correct?

Yes.  Although I barely focus on finding certificates, as I am assuming
a rich user or server environment.  It's interesting though.

The central idea is to trust a domain on the basis of (root or
intermediate) CA certificates in DANE; they might be stored or hashed in
DNS.

> Here's an overlap (maybe): In the PKIX-CD draft (
> https://datatracker.ietf.org/doc/draft-wilson-dane-pkix-cd/) we present a
> method by which an authenticating entity may use the EE's DNS name and AKI
> (both found in the certificate) to construct a URL for discovering the CA
> certificate.

That is an interesting idea, and perhaps not specific to client DANE.  I
would venture to guess that it solves a general problem, possibly even
of finding a root CA that may be solely trusted on grounds of DANE.  I
was lazily proposing to put whole certificates into DNS, perhaps even
for intermediate CAs.

> Even if you don't publish the EE certs for DNS-based identities in DNS, you
> can still use DNS to discover the trust chains. You can still get the DNS
> name or email address out of the presented certificate and use that with
> the AKI to construct a URL where the intermediate certificate that can
> verify the EE certificate should be found.

Yes.  This is also a way to get away from a large-but-limited set of
well-known CAs, so it might help in applications that are more diverse,
such as a domain-local CA or even peer-to-peer networks that employ DNS.

> If this pattern works for your use case, then you'll have some
> cross-compatibility for other use cases, where we do need the certificate
> to be discoverable in DNS (object security use cases) as well as having a
> sort of transitional mode between traditional PKI and DANE for
> authentication, both hinging around DNS names for entities.

I think it *almost* works.

Your "_device" is an example of an identity grouping label, but it is
not clear to me if this is something that is formally registered or a
local network choice.

When formally registered, a specification could be attached that defines
the semantics of that name.  As a consequence, it would be possible to
visit completely foreign domains for the first time to discover what
their certificates are saying.  The shared semantics are the pivotal
point here; applications need to know what they can assume when they
find such a label.  This is a reason why SRV records work so well, yet
are flexible for new specifications to adopt.

It would be possible to make a choice to trust only configured domains
to set a configured _label.  Then, anyone can add names without
formalities, but a label _client-identity would not have necessary
meaning; the domain owner would not be expressing anything but data,
with no necessarily implied meaning.  So this idea of registered naming
is vital to the idea of Realm Crossover.

The ideas of with/without semantics can both be used with a _label that
says "make no assumptions, unless you were configured to look underneath
this one".

Can you elaborate on that please?


Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email