[Danish] Application-Independent Client Identity through DANE
Rick van Rein <rick@openfortress.nl> Thu, 01 April 2021 08:17 UTC
Return-Path: <rick@openfortress.nl>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14DCC3A0E39 for <danish@ietfa.amsl.com>; Thu, 1 Apr 2021 01:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=openfortress.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_l4w7GuVh2b for <danish@ietfa.amsl.com>; Thu, 1 Apr 2021 01:17:48 -0700 (PDT)
Received: from lb2-smtp-cloud7.xs4all.net (lb2-smtp-cloud7.xs4all.net [194.109.24.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E521C3A0E43 for <danish@ietf.org>; Thu, 1 Apr 2021 01:17:47 -0700 (PDT)
Received: from popmini.vanrein.org ([83.161.146.46]) by smtp-cloud7.xs4all.net with ESMTP id RsWLlcoK6MxedRsWMlrbzZ; Thu, 01 Apr 2021 10:17:42 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openfortress.nl; i=rick@openfortress.nl; q=dns/txt; s=fame; t=1617265055; h=message-id : date : from : mime-version : to : subject : content-type : content-transfer-encoding : date : from : subject; bh=Y8FlXYC20dKJNAiN3zj0Imlg7cbk5vjXi4YNfz2EbtM=; b=gvYbANhwHcJEPQao32e/RO7gOObo9jFDss0yr62WEuDDMFExeQdL9/10 BERB3xrRrDzFZdSd2F7ORBIbyy7ZfINCL47MCvXEcSTU0Sp96+Hkpp+tt5 urN7kOY9XAlBeqrqtoxztLchYrxM71u46agDm+XhcIHgCbd4EQaGqybY8=
Received: by fame.vanrein.org (Postfix, from userid 1006) id 5DD9C4BFEE; Thu, 1 Apr 2021 08:17:35 +0000 (UTC)
X-Original-To: danish@ietf.org
Received: from airhead.local (phantom.vanrein.org [83.161.146.46]) by fame.vanrein.org (Postfix) with ESMTPA id 24B2A4BFEC; Thu, 1 Apr 2021 08:17:31 +0000 (UTC)
Message-ID: <60658198.2070902@openfortress.nl>
Date: Thu, 01 Apr 2021 10:17:28 +0200
From: Rick van Rein <rick@openfortress.nl>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: danish@ietf.org
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bogosity: Unsure, tests=bogofilter, spamicity=0.520000, version=1.2.4
X-CMAE-Envelope: MS4xfO6Ogz7f7cd6a/hYlH+jnYeWJfkD7oX2ECS4UXz6bYePHTgkjioUHuMQcetBXNoNIwlhGN+sU4HXJibz66+vUiYat6aWhBJYn/WS3Ri0rwZUcFCOfzqF Vg6R9/3gcAj0nYlu9W25GZhKBiXGpYVX/TH1AbvA9n38vkYR08ktwGwT0DzPPoMR4A3aaYNj+YH+/A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/cT4ixq-G9mhcOCuj8pz9lOLik64>
Subject: [Danish] Application-Independent Client Identity through DANE
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 08:17:54 -0000
Hallo Danish, I was happy to learn that Client DANE is being worked on again. An opportunity that I'd like to see addressed is a mechanism for clients to state that their identity sits under a given domain. The way to do that now involves LDAP, protected with TLS and DANE/DNSSEC. There are advantages including simplicity about doing this with Client DANE. Would you consider the attached portion of text? It would be a way of achieving Realm Crossover, our globally described intention in draft-vanrein-internetwide-realm-crossover The general approach is to use DNSSEC-based authority for domains, and treat the assignment of userids as the prerogative of the domain, to be validated over a secure backlink. The draft expired just yet, and I'd love to update it with a reference to the following in Client DANE :) Thanks for considering, Rick van Rein InternetWide.org / OpenFortress.nl 2.0. Format 0: Application-Independent Client Identity The purpose of this format is to allow clients to state [client-user-identity]@[client-domain-name] style identities which are not tied to any specific application. This uses certificates to implement Realm Crossver <xref target="draft-vanrein-internetwide-realm-crossover"/>. In this format, domain users hold certificates signed under a CA certificate that is approved of in a TLSA record named _client-identity.[client-domain-name] The TLSA record SHOULD NOT set the TLSA RDATA field for Certificate Usage to match end entity certificates. The issuing CA or CAs approved by this statement MUST NOT issue any attributes that represents another domain name than [client-domain-name]. Note that a sequence of "domainComponent" or "dc" RDNs would combine to form a domain name. Note that a domain name may occur as part of a longer attribute. The issuing CA or CAs approved by this statement SHOULD NOT issue any attributes that represent a user identity that has not been established by a RA run under control of the domain [client-domain-name]. Note that a userid may occur as part of a longer attribute. To implement these rules, the issuing CA or CAs approved by this statement MUST NOT produce attributes of which it does not known whether it represents a domain name and/or user identity. On the grounds of this TLSA statement, the relying party SHOULD NOT trust any other information than domain names and user identities. This does not preclude that other paths may validate the information, possibly including application choices to treat attributes as informative suggestions without security implications.
- [Danish] Application-Independent Client Identity … Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Shumon Huque
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Ash Wilson
- Re: [Danish] Application-Independent Client Ident… Rick van Rein
- Re: [Danish] Application-Independent Client Ident… Rick van Rein