IETF Logo Mail Archive

Re: [Danish] Application-Independent Client Identity through DANE

Rick van Rein <rick@openfortress.nl> Tue, 20 April 2021 08:58 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 585A33A18F0 for <danish@ietfa.amsl.com>; Tue, 20 Apr 2021 01:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKxzkMW6Mlv2 for <danish@ietfa.amsl.com>; Tue, 20 Apr 2021 01:58:28 -0700 (PDT)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E8B3A18F1 for <danish@ietf.org>; Tue, 20 Apr 2021 01:58:25 -0700 (PDT)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp.xs4all.nl with ESMTP id YmD6lPIxBuz3GYmD7lutnY; Tue, 20 Apr 2021 10:58:21 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1618909091; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=3DTbTIex3HJ/nBljjXtmKhdLHlQ3b4d2pzejFTdSCe4=; b=iabP2t+q8j0sK0sZX+kHXgRzO0Vlr+vQGG+o+W9ycbaZxz7Anj2lQkmt FQHMNDcqpyXU6K3odIiZdQNf0NU0monSKEpHknqrV0QTirvmGD2Nvi6Ab4 z3f4vOa1nLoRWoji0/ulmjSEpRSptQ6J5C87BqPUSqmT8bM+yRAkyUkbY=
Received: by fame.vanrein.org (Postfix, from userid 1006) id EDA2A512AC; Tue, 20 Apr 2021 08:58:03 +0000 (UTC)
X-Original-To: danish@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 6C224512A9; Tue, 20 Apr 2021 08:57:57 +0000 (UTC)
Message-ID: <607E9793.3060100@openfortress.nl>
Date: Tue, 20 Apr 2021 10:57:55 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Ash Wilson <ash.wilson@valimail.com>
CC: danish@ietf.org
References: <60658198.2070902@openfortress.nl> <6066BAC6.2000801@openfortress.nl> <CAEfM=vRqHyWttEErG1xqAPkci=r+0ZMoNjkpT1Tv0dGFvkza=A@mail.gmail.com> <60680D1F.8060004@openfortress.nl> <CAEfM=vSwJ5MjD7HKFuAyineW5DD+MzM2wcdAztdhsQw1jbS8QQ@mail.gmail.com> <606C25C5.1000105@openfortress.nl> <CAEfM=vT2ZuPY_=Sq6qbs1jEv=E7h8LpnvF6A0-k_G9RxxzQMog@mail.gmail.com>
In-Reply-To: <CAEfM=vT2ZuPY_=Sq6qbs1jEv=E7h8LpnvF6A0-k_G9RxxzQMog@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4xfBaMZnVmQuE0kcKBJAj3YCE/1YMXdsHsMl9q5SFfnNGqLTxot0LI0BfXZj82zqyJQbcL7V+iqSJzL4LjB0k55DJTwYGzFUlNKfjr0PalyUsa022wHIy3 tbk6o8S56oYVYcANAWgHkO5iwq9UsPQKhVqSnaBGkKDU2AxlXWLw22iIx8bNU8OH/mqljbZTGevx8g==
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/VvMOXyWXch6MeKu77mVOGIH4G_E>
Subject: Re: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 08:58:33 -0000

Hello Ash,

> I agree with you that we will need a registry of identity grouping
> labels, if the construct does not fit within another existing registry.

I hadn't checked if a suitable registry already exists, but the
"Underscored and Globally Scoped DNS Node Names" could be it, because
RFC 8552 defines it as just what I had in mind.

https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names

Note that these are "static" _labels, defined under Expert Review, to be
assigned structure/semantics while at it, which is what I meant.  These
are not "dynamic" _node123 labels that could be defined by clients,
though that would be possible under a static _label too.  I am not sure
what you are looking for.

> The use case for discovering CA certificates makes sense to me, and with
> such a mechanism, you can simplify the use of private PKI for establishing
> TLS sessions. Having an underscore label representing the client identity
> type, immediately to the left of the identity grouping label, could fit for
> generic discovery of CA certificates via TLSA records, secured by DNSSEC.

Yes, that's a nice and terse summary of what I have in mind.

> This sounds like it would require a change in how TLS works,

Not the protocol, but the trust evaluation.  It's not that different
from server DANE applications though.  In fact, trust in a client/peer
certificate is often defined locally.  One of those local definitions
could be to adopt the "CXOVER" or "Certificate Crossover" mechanism.

> and for this
> case we will also need a registry of client identity types. But I think
> this might work, and it doesn't necessarily need to carry the complexity of
> the PKIX-CD discovery pattern as long as you have DNSSEC configured for
> your zone.

This is not mine to judge.

> What are your thoughts on signing and encryption for object security use
> cases?

Before you mentioned sigverify and encrypt, which are the pivotal points
where trust is needed.  I'd say that the technical operations with these
names are not what users need; they need to use them in protocol
settings for purposes: authentication, integrity validation, and indeed
from-here-to-recipient privacy.

> How do you see entity certificate discovery happening?

Ehm, use cases...

1. TLS clients would transmit the identity that the want trusted.
   The other TLS peer retrieves the uid=,dc=,dc= from the certificate
   and does a TLSA lookup for the dc=,dc= domain to validate the CA
   and trust the uid=,dc=,dc= remote TLS client.

2. S/MIME signatures https://tools.ietf.org/html/rfc5652#section-5.1
   intends for signerInfos-mentioned certificates to be contained
   in the certificates set.  Validation retrieves the uid=,dc=,dc=
   from the certificate and does a TLSA lookup for the dc=,dc= domain
   to validate the CA and trust the uid=,dc=,dc= sender identity.
   S/MIME signatures intend to include the certificate chain.

3. S/MIME encryption https://tools.ietf.org/html/rfc5652#section-5.2
   is cryptographically initialised by the sending party, so this is
   the case that requires download of certificates.  To validate the
   certificate retrieved from such a download, the uid=,dc=,dc= in
   the certificate is verified against the intended recipient and
   then the sender does a TLSA lookup or the dc=,dc= domain and
   validates the downloaded certificate can be trusted; it then sends
   S/MIME content which intends to include the certificate chain(s).

For downloading in 3, I tend to prefer the standards' prescribed choice
of LDAP because of its rich semantics.  For small devices there may be
other considerations, but they are likely to be less rich, and so not a
general solution.  (BTW, I have made a very small LDAP stack too, but to
date it has only been unit-tested.)


Inviting opinions :)


Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email