Re: [Danish] Proposed DANISH charter
Ash Wilson <ash.wilson@valimail.com> Fri, 21 May 2021 05:24 UTC
Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7F663A1882 for <danish@ietfa.amsl.com>; Thu, 20 May 2021 22:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TiI-TP1Jwc3T for <danish@ietfa.amsl.com>; Thu, 20 May 2021 22:23:56 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053393A1880 for <danish@ietf.org>; Thu, 20 May 2021 22:23:55 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id x8so18656956qkl.2 for <danish@ietf.org>; Thu, 20 May 2021 22:23:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SnPjPTudqO6vbPQNynNcOpvadlbib4pGR/N2ywnkazE=; b=CkNByglh7grC7iK9wFq0G0lF8FGQfDQ286J3YqQ6ps/zsYhc5XWAB76mgvD2rxxmEH ZKCt8IsCN/T/jrzf8HDtBFugK4IdVlWxOCIGL1Kfn0E7nNh9AI6VYQYAKoFmOb3qshEp Cc9cmXnrOUqMhV7IvNKRmotZ/y1ZhNlrBxWTZht7hrFRcBv4bwpJmRqQxuGiBpubk3g/ gP9VDxevfUK1F1DGKZiHqPZEajewTHqntfpsGYxd4QSugXcWOWYXyqtYHjaBv8rUE6iH 3O4UtCvpRHV5ArctS654LsA/NYLwuRSy9v9rUVP8zEzsCHmeDWbVIn49e5ON39Tyk5WU uyRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SnPjPTudqO6vbPQNynNcOpvadlbib4pGR/N2ywnkazE=; b=CFo9qkYb/McS3OGDs8b4Y8J/kCzCrv1D6ExmrK4TCIpK1VxlAFiMskJImvq0xHinQO N1RM0F6h63RzIMsNDJgad2hNWJ2VOH5H7Wl9wc+IphkNWypDm/vnmgSxDBmZZ5UgiFOw xJBj/Bv2iRBIovjugBdAAUPQpr9ftzhlouxWwsOzFKI+hqEY2xzMkiSJMc1o5TwSLQSA C3XZFNRGoJVwa4a8WEkXEUbYpORRH59G0C56NBeyez/ocol0GqG6gnmb3EofLB1lfLgP 9w8KVjG8b1bwD/x27MHkYUpQvmg1YQq4YGEP2eu5vSmrYCpKbkBfXbFDpI0NtDvuZOOz bnxA==
X-Gm-Message-State: AOAM531j+8dbJuz8D3Socmm1hqZ7sshKrqasB/0E7uw+F0pEo/p5vfbn vqHQFWBKW5YXCkmm/8vDr8tW/8xHko9ZyHSGFYiBE/FbzdcFH+Od
X-Google-Smtp-Source: ABdhPJwMAzsvMKp+lAo4CG0S5acv9GJTPd1hBr6+rvw3UaB3WeLR+2VVN5AluKBFD0ozSeM7nbi8juLJT4S9l+j7vp4=
X-Received: by 2002:a05:620a:955:: with SMTP id w21mr10077238qkw.124.1621574632809; Thu, 20 May 2021 22:23:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAEfM=vQ_6Osx=SR8wjSs6kFereChsDH+K9MqgZPi4uDQ=eGjuA@mail.gmail.com>
In-Reply-To: <CAEfM=vQ_6Osx=SR8wjSs6kFereChsDH+K9MqgZPi4uDQ=eGjuA@mail.gmail.com>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Thu, 20 May 2021 22:23:41 -0700
Message-ID: <CAEfM=vTgOemODUNT1pnjzFHJe71Lk-gTKdVL43hGT0VOWk0+tQ@mail.gmail.com>
To: danish@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f73e1e05c2d04335"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/k8mZ31pCFn6CSGDbyPH-nqPvogo>
Subject: Re: [Danish] Proposed DANISH charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 May 2021 05:24:01 -0000
Hi everyone, I've updated the text stating DANE's original purpose, according to recommendations from Paul and Jacques. Any other comments or suggestions for clarification? We've had some dialogue and I want to make sure that anything that's not sufficiently clear for a charter-level doc is appropriately addressed. ----- Objective DANE’s original purpose only covered authentication for the TLS server identity. The DANISH working group seeks to extend the DANE standard to encompass client identity and message sender identity use cases. DANISH also seeks to define a transitional mode for DANE, which will allow the safe adoption of DANE for domain owners who have not yet implemented DNSSEC.. Problem statement Using DANE for representing client identities safely allows authentication across CAs and prevents impersonation, because DNSSEC is used instead of a CA certificate and its associated trust hierarchy to bind an identity’s name to a public key. Everyone agrees on the DNS namespace and the DNS root zone’s DNSSEC trust anchor, eliminating the barrier to adoption for multiple private PKIs participating in application deployment. The greatest barrier to DANE adoption has been the DNSSEC requirement. DANISH will seek to provide a method of certificate and trust chain discovery for private PKIs, to enable the messaging security use case. This alternative mode will allow the use of Web PKI to securely discover certificates, in the absence of DNSSEC. This allows for a gradual DANE adoption where DNSSEC is not in the initial set of requirements. If the application owner wishes to use DANE for mutual TLS authentication, the application owner must then configure DNSSEC for the zone. Scope of work The DANISH group will produce an architecture document describing the primary application components, and their interaction patterns. DANISH will establish usage conventions for DANE DNS records to represent client identity for TLS connections and how to perform public key discovery for object security use cases. DANISH will also define any required TLS protocol updates to support client authentication using DANE. DANISH will define a method whereby Web PKI may be used in lieu of DNSSEC, using DANE DNS record types under specific use cases, as a transitional mode from Web PKI to the DNSSEC-based trust model. While modifications to the following standards are not within the scope of the DANISH charter, the DANISH working group will take care to ensure a potential path for interoperability with the following standards, enabling potential future work: JOSE, COSE, Oauth2, MLS, EAP-TLS, SMIMEA (RFC 8162), SIP (RFC 5922), Proxy headers (RFC 7239), IANA email authentication headers, and TCP proxy TLVs standardized by haproxy. On Wed, May 12, 2021 at 2:35 PM Ash Wilson <ash.wilson@valimail.com> wrote: > Hello everyone, > > Together with the BoF chairs, a few of us have been discussing what a > charter for this working group might look like. We are pleased to present > the following for your consideration: > > ----- > Objective > DANE’s original purpose only covered the coupling of PKI and DNS for > server identity. The DANISH working group seeks to extend the DANE standard > to encompass client identity and message sender identity use cases. DANISH > also seeks to define a transitional mode for DANE, which will allow the > safe adoption of DANE for domain owners who have not yet implemented > DNSSEC.. > > Problem statement > Using DANE for representing client identities safely allows authentication > across CAs and prevents impersonation, because DNSSEC is used instead of a > CA certificate and its associated trust hierarchy to bind an identity’s > name to a public key. Everyone agrees on the DNS namespace and the DNS root > zone’s DNSSEC trust anchor, eliminating the barrier to adoption for > multiple private PKIs participating in application deployment. > > The greatest barrier to DANE adoption has been the DNSSEC requirement. > DANISH will seek to provide a method of certificate and trust chain > discovery for private PKIs, to enable the messaging security use case. This > alternative mode will allow the use of Web PKI to securely discover > certificates, in the absence of DNSSEC. This allows for a gradual DANE > adoption where DNSSEC is not in the initial set of requirements. If the > application owner wishes to use DANE for mutual TLS authentication, the > application owner must then configure DNSSEC for the zone. > > Scope of work > The DANISH group will produce an architecture document describing the > primary application components, and their interaction patterns. DANISH will > establish usage conventions for DANE DNS records to represent client > identity for TLS connections and how to perform public key discovery for > object security use cases. DANISH will also define any required TLS > protocol updates to support client authentication using DANE. DANISH will > define a method whereby Web PKI may be used in lieu of DNSSEC, using DANE > DNS record types under specific use cases, as a transitional mode from Web > PKI to the DNSSEC-based trust model. > > While modifications to the following standards are not within the scope of > the DANISH charter, the DANISH working group will take care to ensure a > potential path for interoperability with the following standards, enabling > potential future work: JOSE, COSE, Oauth2, MLS, EAP-TLS, SMIMEA (RFC 8162), > SIP (RFC 5922), Proxy headers (RFC 7239), IANA email authentication > headers, and TCP proxy TLVs standardized by haproxy. > > -- > > *Ash Wilson* | Technical Director > *e:* ash.wilson@valimail.com > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. > -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [Danish] Proposed DANISH charter Ash Wilson
- Re: [Danish] Proposed DANISH charter Paul Wouters
- Re: [Danish] [EXT] Re: Proposed DANISH charter Jacques Latour
- Re: [Danish] Proposed DANISH charter Ash Wilson
- Re: [Danish] [EXT] Re: Proposed DANISH charter Ash Wilson
- Re: [Danish] Proposed DANISH charter Paul Wouters
- Re: [Danish] Proposed DANISH charter Ash Wilson
- Re: [Danish] Proposed DANISH charter Ash Wilson
- Re: [Danish] Proposed DANISH charter Olle E. Johansson
- Re: [Danish] Proposed DANISH charter Roman Danyliw