IETF Logo Mail Archive

[Danish] Application-Independent Client Identity through DANE

Rick van Rein <rick@openfortress.nl> Thu, 01 April 2021 08:17 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14DCC3A0E39 for <danish@ietfa.amsl.com>; Thu, 1 Apr 2021 01:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_l4w7GuVh2b for <danish@ietfa.amsl.com>; Thu, 1 Apr 2021 01:17:48 -0700 (PDT)
Received: from lb2-smtp-cloud7.xs4all.net (lb2-smtp-cloud7.xs4all.net [194.109.24.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E521C3A0E43 for <danish@ietf.org>; Thu, 1 Apr 2021 01:17:47 -0700 (PDT)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud7.xs4all.net with ESMTP id RsWLlcoK6MxedRsWMlrbzZ; Thu, 01 Apr 2021 10:17:42 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1617265055; h=message-id : date : from : mime-version : to : subject : content-type : content-transfer-encoding : date : from : subject; bh=Y8FlXYC20dKJNAiN3zj0Imlg7cbk5vjXi4YNfz2EbtM=; b=gvYbANhwHcJEPQao32e/RO7gOObo9jFDss0yr62WEuDDMFExeQdL9/10 BERB3xrRrDzFZdSd2F7ORBIbyy7ZfINCL47MCvXEcSTU0Sp96+Hkpp+tt5 urN7kOY9XAlBeqrqtoxztLchYrxM71u46agDm+XhcIHgCbd4EQaGqybY8=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 5DD9C4BFEE; Thu, 1 Apr 2021 08:17:35 +0000 (UTC)
X-Original-To: danish@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 24B2A4BFEC; Thu, 1 Apr 2021 08:17:31 +0000 (UTC)
Message-ID: <60658198.2070902@openfortress.nl>
Date: Thu, 01 Apr 2021 10:17:28 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: danish@ietf.org
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4xfO6Ogz7f7cd6a/hYlH+jnYeWJfkD7oX2ECS4UXz6bYePHTgkjioUHuMQcetBXNoNIwlhGN+sU4HXJibz66+vUiYat6aWhBJYn/WS3Ri0rwZUcFCOfzqF Vg6R9/3gcAj0nYlu9W25GZhKBiXGpYVX/TH1AbvA9n38vkYR08ktwGwT0DzPPoMR4A3aaYNj+YH+/A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/cT4ixq-G9mhcOCuj8pz9lOLik64>
Subject: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 08:17:54 -0000

Hallo Danish,

I was happy to learn that Client DANE is being worked on again.  An
opportunity that I'd like to see addressed is a mechanism for clients
to state that their identity sits under a given domain.  The way to do
that now involves LDAP, protected with TLS and DANE/DNSSEC.  There are
advantages including simplicity about doing this with Client DANE.

Would you consider the attached portion of text?  It would be a way of
achieving Realm Crossover, our globally described intention in
draft-vanrein-internetwide-realm-crossover

The general approach is to use DNSSEC-based authority for domains, and
treat the assignment of userids as the prerogative of the domain, to be
validated over a secure backlink.  The draft expired just yet, and I'd
love to update it with a reference to the following in Client DANE :)


Thanks for considering,

Rick van Rein
InternetWide.org / OpenFortress.nl



2.0.  Format 0: Application-Independent Client Identity

   The purpose of this format is to allow clients to
   state [client-user-identity]@[client-domain-name] style
   identities which are not tied to any specific application.
   This uses certificates to implement Realm Crossver
   <xref target="draft-vanrein-internetwide-realm-crossover"/>.

   In this format, domain users hold certificates signed
   under a CA certificate that is approved of in a TLSA
   record named

   _client-identity.[client-domain-name]

   The TLSA record SHOULD NOT set the TLSA RDATA field for
   Certificate Usage to match end entity certificates.

   The issuing CA or CAs approved by this statement MUST NOT
   issue any attributes that represents another domain name
   than [client-domain-name].  Note that a sequence of
   "domainComponent" or "dc" RDNs would combine to form a
   domain name.  Note that a domain name may occur as part
   of a longer attribute.

   The issuing CA or CAs approved by this statement SHOULD NOT
   issue any attributes that represent a user identity that
   has not been established by a RA run under control of the
   domain [client-domain-name].  Note that a userid may occur
   as part of a longer attribute.

   To implement these rules, the issuing CA or CAs approved by
   this statement MUST NOT produce attributes of which it does
   not known whether it represents a domain name and/or user
   identity.

   On the grounds of this TLSA statement, the relying party
   SHOULD NOT trust any other information than domain names
   and user identities.  This does not preclude that other
   paths may validate the information, possibly including
   application choices to treat attributes as informative
   suggestions without security implications.

v2.23.0 | Report a Bug | By Email