IETF Logo Mail Archive

Re: [Danish] Application-Independent Client Identity through DANE

Shumon Huque <shuque@gmail.com> Fri, 02 April 2021 12:45 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E4253A13CF for <danish@ietfa.amsl.com>; Fri, 2 Apr 2021 05:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9n5q821I5pA for <danish@ietfa.amsl.com>; Fri, 2 Apr 2021 05:44:56 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15A533A13E1 for <danish@ietf.org>; Fri, 2 Apr 2021 05:44:55 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id h13so5337714eds.5 for <danish@ietf.org>; Fri, 02 Apr 2021 05:44:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CXGr0+/Blsg0p4sF9JUWddZ1D3AnsoQeU53uUjmuEoo=; b=azbC3FaOkkkdgxfM1T38JaoGRpAhXEEdN0OffJmZRXMnfLk9o2kMaidYlKK/a7Nhe/ fEsGmixiH9O5CdiLR0OJx7ZcgmFgO8H7YVQjHY+wgYyyajhnF2SItanPSoxqiVCTrncW r0o8WCSmRCUwmn+XUvGUkD3xWzzxCNJBEacKagIMYcWsBMCeTSOELb2J4FwWuKR06bZj TrFMH/d9YJghD2MGWJO9r3ASXSV9ywVWs4npiY3Edk7NepDCsaCVOB2h3YN+L9Jy/vdt q1RY1uHgtYWYFDMg9lfgCWcmywJ6UpwInPY79Ub4/U6gAM1++Z/QFSF12SUoAsUmK84l 8hJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CXGr0+/Blsg0p4sF9JUWddZ1D3AnsoQeU53uUjmuEoo=; b=qZXU0yXxH4njv9Zm/DI68+vc8eI/s8hZYcXQnTwIQUYIQaS7p/MLffRSNb7AXOlW2F WsHNe7K+/nXoWiXo8cvnEvp9UrPBQcci9I9hCWvdrVqcrWazL/lMThaPNjXcUBOwGH8q TEbkA7sDNOFenpvukV5uFIjgu8ZFXHHZAdCMbUKFgd91w/sGPeIr5TtOImFlW65aklF5 hYFz59aH9OoPmxW//ZDAoYg3BCjzz/YkpzkpsHnnIm1PCi3XaeXpkUvbIG7psSC/q2Ib 5biHzV/Pis0Bmo+UWuoSHAwvVPqvydNXlcA3NvSNVwCkPOkWV4/9rr88BSs65x9EoIgh ZQkA==
X-Gm-Message-State: AOAM5304KFpVJfWeKQkpx0uRlGXWg2XoU+d5rY6jN3aITGWf+OdfPc5v QY4qmgmR56j9au9wKsHKK65sVt6wZXzExEFW0iJl38E3
X-Google-Smtp-Source: ABdhPJwEYCmrjJsPiO+GniVlgI8xIujglk67GWzdySh7epocjdQ22PlxaJwzHrI15FBhaWTghJTvIT7EDNXHE4UnGtE=
X-Received: by 2002:a50:ed96:: with SMTP id h22mr15056836edr.39.1617367492990; Fri, 02 Apr 2021 05:44:52 -0700 (PDT)
MIME-Version: 1.0
References: <60658198.2070902@openfortress.nl> <6066BAC6.2000801@openfortress.nl>
In-Reply-To: <6066BAC6.2000801@openfortress.nl>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 02 Apr 2021 08:44:41 -0400
Message-ID: <CAHPuVdUWzhYkFhNykV+23KNpxNVAsq91xyocb15GLojZK3bvdw@mail.gmail.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: danish@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e4180e05befcb62e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/WAgRNFRC6MmsVUNA_6fSrQl50yg>
Subject: Re: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Apr 2021 12:45:02 -0000

Thanks Rick,

I'm reviewing, and hope others will too.

I'll note that although this work is expected to be done in the context of
an IOT focussed working group, the DANE client authentication draft is
general purpose in nature, and we know that there are several folks from
other application communities interested in this (SMTP, etc). So, I'm
personally very open to expanding the utility of the draft to your Internet
identity proposals, and adding another proposed format to support
application independent identities sounds quite reasonable to me. Will
circle back with more detailed comments soon.

Shumon.

On Fri, Apr 2, 2021 at 2:34 AM Rick van Rein <rick@openfortress.nl> wrote:

> Hello Danish,
>
> Shumon suggested that the text I wrote might be too specific
> for an application that I have in mind.  This is an alternative
> text aiming to say just enough to support meaningful conclusions.
>
> I mention "uid" and "dc" attributes as a hint without force.
> This may be helpful to provide some guidance to allow various
> applications to come together.
>
>
> Cheers,
>  -Rick
>
>
> 2.0.  Format 0: Application-Independent Client Identity
>
>    The purpose of this format is to certify client's
>    [client-user-identity]@[client-domain-name] style
>    identities without ties to any specific application or
>    protocol.  This is a mechanism to support Realm Crossver
>    <xref target="draft-vanrein-internetwide-realm-crossover"/>.
>
>    In this format, domain users hold certificates signed
>    under a CA certificate that is approved of in a TLSA
>    record named
>
>    _client-identity.[client-domain-name]
>
>    TLSA records with such names SHOULD NOT set the RDATA field
>    for Certificate Usage to match end entity certificates.
>
>    The issuing CA or CAs approved by this statement MUST NOT
>    publish certificate attributes whose meaning specify the
>    [client-user-identity], the [client-domain-name] or any
>    parts or combinations thereof, except when (1) the full
>    [client-domain-name] is represented and (2) that domain has
>    approved the [client-user-identity] and the public key to
>    belong to the requesting client for at least the period
>    of validity of the certificate to be issued.
>
>    After extracting the [client-domain-name] from a client
>    certificate and validating the certificate to comply to
>    this TLSA record, a relying party can trust attributes
>    that specify the [client-user-identity] such as "uid", and
>    the [client-domain-name] such as in a "dc" sequence, to
>    adhere to the authoritative hierarchy of Internet names.
>
> --
> Danish mailing list
> Danish@ietf.org
> https://www.ietf.org/mailman/listinfo/danish
>

v2.23.0 | Report a Bug | By Email