Re: [Danish] Proposed WG Charter

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 13 June 2021 23:53 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 647203A1588 for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 16:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3sGBqLaQ_px for <danish@ietfa.amsl.com>; Sun, 13 Jun 2021 16:53:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D2C43A1587 for <danish@ietf.org>; Sun, 13 Jun 2021 16:53:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id C3F7D38B1E for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:29 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id sYoboUsslMQd for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:28 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id B5E6438B1C for <danish@ietf.org>; Sun, 13 Jun 2021 19:54:28 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 91D9AC9B for <danish@ietf.org>; Sun, 13 Jun 2021 19:53:24 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: danish@ietf.org
In-Reply-To: <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca>
References: <YMZwG/l/pne2tHJF@straasha.imrryr.org> <A7723DDA-3B78-46AD-9449-B6DF7F211706@nohats.ca>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 13 Jun 2021 19:53:24 -0400
Message-ID: <18269.1623628404@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/rUnFGOX8iWBMDWySYuNY-aLP3qM>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2021 23:53:31 -0000

I think that the charter has too many words and too many goals.
I suggest leaving the DNSSEC-less stuff to a recharter.
Where was that github for this....

==== I suggest the following shorter charter

-Objective

The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to
extend DANE to encompass TLS client authentication using certificates.

The WG will also use DANE to establish identities for store and forward of
messages using sender identities.      [better wording sought]

-Problem statement

The process of establishing trust in public-key-authenticated identity
typically involves the use of a Public Key Infrastructure (PKI), and a
shared PKI root of trust between the parties exchanging public keys. A
Certification Authority (CA) is one example of a PKI which can be used for
establishing trust in public keys.

The DNS namespace, together with DNSSEC, forms the most widely-recognized
namespace and authenticated discovery mechanism on the Internet.
DANE builds on this authenticated discovery mechanism to enable public key-based
TLS authentication which is resilient to impersonation, but only for TLS
server identities.

In response to the challenges related to ambiguity between identities issued
by different CAs, application owners frequently choose to onboard IoT devices
to a single private CA specific to that vertical.
This creates a silo effect where different parts of large deployment can not
communicate.  For instance the heating cooling system of a building can not
authenticate the lighting control system.

Many IoT deployments use some kind of message bus (for instance MQTT) to
exchange data, and there is a strong desire to add message-level security
(MLS) to the objects which are exchanged.  While there is TLS for connection security,
it does not extend to what is communicated and so does not convey authority
to make a claim, while a MLS would provide that.

A DNS name is a useful unique identifier to which humans interact with well,
and which can be used (thanks to DNSSEC and DANE) to attach a key by which to
authenticate the message sender identity.

-Scope of work
DANISH will specify the TLS session and message security use cases and an
architecture describing the primary components and interaction patterns.

DANISH will establish usage conventions for DANE DNS records to represent
client identity for TLS connections and how to perform public key discovery
for message security use cases, like the establishment of message sender
identity.

DANISH will coordinate with the TLS working group to define any required
TLS v1.3 protocol updates required to support client authentication using
DANE.

{XXX cross this out?
DANISH will standardize a protocol and specify operational recommendations
for the use of Web PKI to authenticate the discovery of private PKI
certificates and trust chains via DANE DNS record types, in the absence of
DNSSEC, in support of the message security use case. }

While modifications to the following standards are not within the scope of
the DANISH charter, the DANISH working group will take care to ensure a
potential path for interoperability with the following standards, enabling
potential future work:SMIMEA (RFC 8162), Proxy headers (RFC 7239), IANA
email authentication headers, and TCP proxy TLVs standardized by haproxy.

-Deliverables:
DANISH architecture document
9 months
DANE for client certificates (current draft)
6 months
DANE for TLS client authentication (current draft)
  6 months


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide