Re: [Danish] Proposed WG Charter
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 13 June 2021 20:52 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 961613A0D64 for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 13:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8hkoJy8HfUZ for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 13:52:45 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C20443A0D66 for <danish@ietf.org>; Sun, 13 Jun 2021 13:52:44 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 3029CC424D; Sun, 13 Jun 2021 16:52:43 -0400 (EDT)
Date: Sun, 13 Jun 2021 16:52:43 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: danish@ietf.org
Message-ID: <YMZwG/l/pne2tHJF@straasha.imrryr.org>
Reply-To: danish@ietf.org
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/jV8K9YChawqascdAtr3KXP14Eos>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2021 20:52:48 -0000
On Sat, Jun 12, 2021 at 08:25:07AM -0700, Ash Wilson wrote: > This is the final text for the proposed charter. We are seeking > support for the formation of the working group, as well as support for > implementation, adoption, and documentation efforts. I see that others have commented positively on the charter, and yet somehow for me it seems rather muddled. It is not clear to me what the motivating use-cases really are, nor how DANISH would resolve the key difficulties in those use-cases. There is no explanation of whether the perceived barriers to DNSSEC adoption are on the authoritative or resolver side, or who are the primary intended users (consumer, enterprise, other?) for PKI a la DANISH. > The now closed DANE working group (WG) produced a mechanism that > supported authentication of TLS server identities via a DNSSEC-secured > infrastructure. Operational experience with DANE has validated the > utility of a DNS-enabled mechanism for discovering authenticated keys, > but has also shown that reliance on DNSSEC is a significant barrier to > adoption. The term "discovering authentication keys" is not defined here. It is not clear that avoiding DNSSEC will make things simpler. Which is the more important barrier here, zone signing, or access to validating resolvers? > The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to > extend DANE to encompass TLS client and message sender identities. Extending DANE to client auth is certainly an option for "devices" that one might reasonably want to register in DNS. > DANISH will also define a mechanism for messaging use cases that > allows DANE DNS record types to be secured by the Web PKI as a > transition strategy for domain owners who have not yet implemented a > DNSSEC-based trust model. The phrase "DANE DNS record types" is not defined. Nor is it clear what it might for DNS records to be "secured by the Web PKI". Here you speak of "domain owners", placing the focus on the signer side. Signing domains, and keeping them signed, is at this point sufficiently easy, that there's no longer any justifiable reason to design work-arounds for barriers to zone signing. If that's the obstacle, I am not at all sympathetic to ugly work-arounds that simply postpone doing it right. > A Certificate Authority (CA) is one example of a PKI which can be used for FWIW, the established term of art is "Certification Authority". > establishing trust in public keys. CAs only guarantee the uniqueness of an > identity’s name within the context of the CA, and multiple CAs may sign > certificates for different entities bearing the same name. DNSSEC is > another PKI, which is bound to the DNS namespace. The use of "uniqueness" here is rather unclear. There's nothing wrong with multiple certificates each binding a key to some shared name, it just means that all the keys are associated with the same subject. Nor is it necessarily a problem if such bindings are obtained from multiple CAs (provided they are all properly validated and authorised). > The DNS namespace, together with DNSSEC, forms the most widely-recognized > namespace and authenticated discovery mechanism on the Internet. Not clear what this is intended to convey. > DANE builds on this authenticated discovery mechanism to enable public > key-based TLS authentication which is resilient to impersonation, but > only for TLS server identities. More precisely, how one locates the relevant RFC6698/7671 TLSA records for use with TLS is presently only defined for the server side of a TLS connection. > The use of CA-based PKI alone for client and message sender authentication > creates the possibility of naming collisions when multiple CAs are trusted > within the same application. It is rather unclear what this is getting at. Perhaps it i trying to evoke lack of effective name constraints in the WebPKI? > In response to the challenges related to ambiguity between identities > issued by different CAs, application owners frequently choose to > onboard IoT devices to a single CA. Again, what exactly is this tryign to get at? > Expanding the use cases for DANE to support the representation of TLS > client and message sender identities will enable unambiguous authentication > across CAs, for client/server TLS sessions as well as message-oriented > information flows. It seems that solving "ambiguity" is a major concern. So the term needs a clear definition and some motivating examples. > The greatest barrier to DANE adoption has been the DNSSEC requirement. But which barriers if any are applicable to the DANISH use-case? DNSSEC zone signing? DNSSEC resolution on roaming devices? Or tools to automate publishing data in DNS (signed or not), monitoring, ... > DANISH will provide a method of certificate and trust chain discovery for > private PKIs, What is "trust chain discovery"? How is different from including all the relevant certificates with the message? What is "certificate discovery"? What makes these relevant to IoT? > to enable the messaging security use case, in a manner which will work > securely in the absence of DNSSEC. Why is avoiding DNSSEC simpler than making it more compelling to deploy? > -Scope of work > DANISH will specify the TLS session and message security use cases and an > architecture describing the primary components and interaction patterns. I think the charter should go some way to clarifying the intended use cases. -- Viktor.
- [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Paul Hoffman
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Shumon Huque
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] [EXT] Re: Proposed WG Charter Jacques Latour
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Roman Danyliw
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Jacques Latour