Re: [Danish] Application-Independent Client Identity through DANE
Rick van Rein <rick@openfortress.nl> Tue, 20 April 2021 08:58 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 585A33A18F0 for <danish@ietfa.amsl.com>; Tue, 20 Apr 2021 01:58:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKxzkMW6Mlv2 for <danish@ietfa.amsl.com>; Tue, 20 Apr 2021 01:58:28 -0700 (PDT)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E8B3A18F1 for <danish@ietf.org>; Tue, 20 Apr 2021 01:58:25 -0700 (PDT)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp.xs4all.nl with ESMTP id YmD6lPIxBuz3GYmD7lutnY; Tue, 20 Apr 2021 10:58:21 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1618909091; h=message-id : date : from : mime-version : to : cc : subject : references : in-reply-to : content-type : content-transfer-encoding : date : from : subject; bh=3DTbTIex3HJ/nBljjXtmKhdLHlQ3b4d2pzejFTdSCe4=; b=iabP2t+q8j0sK0sZX+kHXgRzO0Vlr+vQGG+o+W9ycbaZxz7Anj2lQkmt FQHMNDcqpyXU6K3odIiZdQNf0NU0monSKEpHknqrV0QTirvmGD2Nvi6Ab4 z3f4vOa1nLoRWoji0/ulmjSEpRSptQ6J5C87BqPUSqmT8bM+yRAkyUkbY=
Received: by fame.vanrein.org (Postfix, from userid 1006) id EDA2A512AC; Tue, 20 Apr 2021 08:58:03 +0000 (UTC)
X-Original-To: danish@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 6C224512A9; Tue, 20 Apr 2021 08:57:57 +0000 (UTC)
Message-ID: <607E9793.3060100@openfortress.nl>
Date: Tue, 20 Apr 2021 10:57:55 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Ash Wilson <ash.wilson@valimail.com>
CC: danish@ietf.org
References: <60658198.2070902@openfortress.nl> <6066BAC6.2000801@openfortress.nl> <CAEfM=vRqHyWttEErG1xqAPkci=r+0ZMoNjkpT1Tv0dGFvkza=A@mail.gmail.com> <60680D1F.8060004@openfortress.nl> <CAEfM=vSwJ5MjD7HKFuAyineW5DD+MzM2wcdAztdhsQw1jbS8QQ@mail.gmail.com> <606C25C5.1000105@openfortress.nl> <CAEfM=vT2ZuPY_=Sq6qbs1jEv=E7h8LpnvF6A0-k_G9RxxzQMog@mail.gmail.com>
In-Reply-To: <CAEfM=vT2ZuPY_=Sq6qbs1jEv=E7h8LpnvF6A0-k_G9RxxzQMog@mail.gmail.com>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4xfBaMZnVmQuE0kcKBJAj3YCE/1YMXdsHsMl9q5SFfnNGqLTxot0LI0BfXZj82zqyJQbcL7V+iqSJzL4LjB0k55DJTwYGzFUlNKfjr0PalyUsa022wHIy3 tbk6o8S56oYVYcANAWgHkO5iwq9UsPQKhVqSnaBGkKDU2AxlXWLw22iIx8bNU8OH/mqljbZTGevx8g==
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/VvMOXyWXch6MeKu77mVOGIH4G_E>
Subject: Re: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 08:58:33 -0000
Hello Ash, > I agree with you that we will need a registry of identity grouping > labels, if the construct does not fit within another existing registry. I hadn't checked if a suitable registry already exists, but the "Underscored and Globally Scoped DNS Node Names" could be it, because RFC 8552 defines it as just what I had in mind. https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names Note that these are "static" _labels, defined under Expert Review, to be assigned structure/semantics while at it, which is what I meant. These are not "dynamic" _node123 labels that could be defined by clients, though that would be possible under a static _label too. I am not sure what you are looking for. > The use case for discovering CA certificates makes sense to me, and with > such a mechanism, you can simplify the use of private PKI for establishing > TLS sessions. Having an underscore label representing the client identity > type, immediately to the left of the identity grouping label, could fit for > generic discovery of CA certificates via TLSA records, secured by DNSSEC. Yes, that's a nice and terse summary of what I have in mind. > This sounds like it would require a change in how TLS works, Not the protocol, but the trust evaluation. It's not that different from server DANE applications though. In fact, trust in a client/peer certificate is often defined locally. One of those local definitions could be to adopt the "CXOVER" or "Certificate Crossover" mechanism. > and for this > case we will also need a registry of client identity types. But I think > this might work, and it doesn't necessarily need to carry the complexity of > the PKIX-CD discovery pattern as long as you have DNSSEC configured for > your zone. This is not mine to judge. > What are your thoughts on signing and encryption for object security use > cases? Before you mentioned sigverify and encrypt, which are the pivotal points where trust is needed. I'd say that the technical operations with these names are not what users need; they need to use them in protocol settings for purposes: authentication, integrity validation, and indeed from-here-to-recipient privacy. > How do you see entity certificate discovery happening? Ehm, use cases... 1. TLS clients would transmit the identity that the want trusted. The other TLS peer retrieves the uid=,dc=,dc= from the certificate and does a TLSA lookup for the dc=,dc= domain to validate the CA and trust the uid=,dc=,dc= remote TLS client. 2. S/MIME signatures https://tools.ietf.org/html/rfc5652#section-5.1 intends for signerInfos-mentioned certificates to be contained in the certificates set. Validation retrieves the uid=,dc=,dc= from the certificate and does a TLSA lookup for the dc=,dc= domain to validate the CA and trust the uid=,dc=,dc= sender identity. S/MIME signatures intend to include the certificate chain. 3. S/MIME encryption https://tools.ietf.org/html/rfc5652#section-5.2 is cryptographically initialised by the sending party, so this is the case that requires download of certificates. To validate the certificate retrieved from such a download, the uid=,dc=,dc= in the certificate is verified against the intended recipient and then the sender does a TLSA lookup or the dc=,dc= domain and validates the downloaded certificate can be trusted; it then sends S/MIME content which intends to include the certificate chain(s). For downloading in 3, I tend to prefer the standards' prescribed choice of LDAP because of its rich semantics. For small devices there may be other considerations, but they are likely to be less rich, and so not a general solution. (BTW, I have made a very small LDAP stack too, but to date it has only been unit-tested.) Inviting opinions :) Cheers, -Rick
- [Danish] Application-Independent Client Identity … Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Shumon Huque
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Ash Wilson
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein