Re: [Danish] Proposed WG Charter
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 13 June 2021 23:53 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647203A1588 for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 16:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3sGBqLaQ_px for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 16:53:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D2C43A1587 for <danish@ietf.org>; Sun, 13 Jun 2021 16:53:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C3F7D38B1E for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:29 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id sYoboUsslMQd for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:28 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B5E6438B1C for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:28 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 91D9AC9B for <danish@ietf.org>; Sun, 13 Jun 2021 19:53:24 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: danish@ietf.org
In-Reply-To: <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca>
References: <YMZwG/l/pne2tHJF@straasha.imrryr.org> <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 13 Jun 2021 19:53:24 -0400
Message-ID: <18269.1623628404@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/rUnFGOX8iWBMDWySYuNY-aLP3qM>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2021 23:53:31 -0000
I think that the charter has too many words and too many goals. I suggest leaving the DNSSEC-less stuff to a recharter. Where was that github for this.... ==== I suggest the following shorter charter -Objective The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to extend DANE to encompass TLS client authentication using certificates. The WG will also use DANE to establish identities for store and forward of messages using sender identities. [better wording sought] -Problem statement The process of establishing trust in public-key-authenticated identity typically involves the use of a Public Key Infrastructure (PKI), and a shared PKI root of trust between the parties exchanging public keys. A Certification Authority (CA) is one example of a PKI which can be used for establishing trust in public keys. The DNS namespace, together with DNSSEC, forms the most widely-recognized namespace and authenticated discovery mechanism on the Internet. DANE builds on this authenticated discovery mechanism to enable public key-based TLS authentication which is resilient to impersonation, but only for TLS server identities. In response to the challenges related to ambiguity between identities issued by different CAs, application owners frequently choose to onboard IoT devices to a single private CA specific to that vertical. This creates a silo effect where different parts of large deployment can not communicate. For instance the heating cooling system of a building can not authenticate the lighting control system. Many IoT deployments use some kind of message bus (for instance MQTT) to exchange data, and there is a strong desire to add message-level security (MLS) to the objects which are exchanged. While there is TLS for connection security, it does not extend to what is communicated and so does not convey authority to make a claim, while a MLS would provide that. A DNS name is a useful unique identifier to which humans interact with well, and which can be used (thanks to DNSSEC and DANE) to attach a key by which to authenticate the message sender identity. -Scope of work DANISH will specify the TLS session and message security use cases and an architecture describing the primary components and interaction patterns. DANISH will establish usage conventions for DANE DNS records to represent client identity for TLS connections and how to perform public key discovery for message security use cases, like the establishment of message sender identity. DANISH will coordinate with the TLS working group to define any required TLS v1.3 protocol updates required to support client authentication using DANE. {XXX cross this out? DANISH will standardize a protocol and specify operational recommendations for the use of Web PKI to authenticate the discovery of private PKI certificates and trust chains via DANE DNS record types, in the absence of DNSSEC, in support of the message security use case. } While modifications to the following standards are not within the scope of the DANISH charter, the DANISH working group will take care to ensure a potential path for interoperability with the following standards, enabling potential future work:SMIMEA (RFC 8162), Proxy headers (RFC 7239), IANA email authentication headers, and TCP proxy TLVs standardized by haproxy. -Deliverables: DANISH architecture document 9 months DANE for client certificates (current draft) 6 months DANE for TLS client authentication (current draft) 6 months -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Paul Hoffman
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Shumon Huque
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] [EXT] Re: Proposed WG Charter Jacques Latour
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Ash Wilson
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Paul Wouters
- Re: [Danish] Proposed WG Charter Viktor Dukhovni
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Roman Danyliw
- Re: [Danish] Proposed WG Charter Michael Richardson
- Re: [Danish] Proposed WG Charter Jacques Latour