Re: [Danish] Updated charter post BOF discussion

Tim Wicinski <tjw.ietf@gmail.com> Thu, 19 August 2021 23:17 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086663A080C for <danish@ietfa.amsl.com>; Thu, 19 Aug 2021 16:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_5G3a794-Aw for <danish@ietfa.amsl.com>; Thu, 19 Aug 2021 16:17:36 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C6D3A0805 for <danish@ietf.org>; Thu, 19 Aug 2021 16:17:36 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id i28so14160153ljm.7 for <danish@ietf.org>; Thu, 19 Aug 2021 16:17:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rdwuUwnE8nJs4SZtEJDB0jzrnaHPlXvKo+s6GOO79vY=; b=TnDTkIcrcoWc+Zu8kvT93t8kHrgHbCUWH7+D8OFSfm9wRAsyPLuGfg1SWbqlm8E/vZ gqwwjWIQ9dlIVte48IDtJjM1NrEv88M50juarPlkjnmD7/EciNou0uZ3GLrA1kFuqAC8 TXPvi+dd+miyQT+Kjax1xs+BnJx4p9aX7QFWFgdTX6oy8jRDs3EgWp4Ns7B2QcUasKZ5 yHayx/f/ckiY2cw2ngUw4TdzmS7ezV9inmmaUVtQYVAmNaFniwk8UCCoKlBs0PUGaDqY IHcQjaLM5eFO5SROmtup99X11Git0EW/0Y1qyg/YZGzekorz4QbKfNL9PdtrL2HjijzL k8/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rdwuUwnE8nJs4SZtEJDB0jzrnaHPlXvKo+s6GOO79vY=; b=CmDmQTrrdTpAhoxqQ7JEVq2VOEjZ3949mwmKsEQocNBy1f63R+5jkXE6ZhJFBsvkVk rmdA+QYm6AbH5jahcSX4fAp6nEozmrXdep7ADgAmHl5TuwHoG28cosdvCZ9eoVp1/w8N s7bQMsBPYWlYsNu49ch7V4AoxOTzEJFsPjISuxSSpBNMreVGFtzywng+JFyIZb06HypE iRgemOYBu3qm86/29l8rx7LbSTmZ9GI5vdesU0Dsf1U5pLtVeRbuMfXF5KxUwWU4dNgr j7H6OGtaZBKWNJi8fP9Snjhx6DpQ1hh7LFOxyjgJKwHl3roQM3Sc9W/toE+TpIOVvg6z TFEA==
X-Gm-Message-State: AOAM5300jy3wyoIP57Xlkxh6Liz11NSlca646dHPyNPBsW26vi5kMeg5 2h8tYMfBaWMqRsmhtaztxNhXYhEzaEQ+rFzoOOH0z6iiA/s=
X-Google-Smtp-Source: ABdhPJzAZWyzTTan/1FLsjmoGTX6Rjb58gtHWTUXz68XMrTR1TUKLQGJUNd3ZVpWndukgQ8u4SzGXvxW3ZIXvMEAKGU=
X-Received: by 2002:a05:651c:106f:: with SMTP id y15mr13836861ljm.309.1629415053718; Thu, 19 Aug 2021 16:17:33 -0700 (PDT)
MIME-Version: 1.0
References: <yblh7fldy3z.fsf@w7.hardakers.net>
In-Reply-To: <yblh7fldy3z.fsf@w7.hardakers.net>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 19 Aug 2021 19:17:22 -0400
Message-ID: <CADyWQ+FgvEZa_jBNaAwK77sPJAZ0ZGmsgYE81JhB0GLj4icdJg@mail.gmail.com>
To: Wes Hardaker <wjhns1@hardakers.net>
Cc: danish@ietf.org
Content-Type: multipart/alternative; boundary="00000000000077fa8805c9f1c1e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/ru05BE-SnEE4i4p5nXuyVZewtMI>
Subject: Re: [Danish] Updated charter post BOF discussion
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DANE AutheNtication for Iot Service Hardening <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2021 23:17:42 -0000

+1 on this working group.

tim


On Thu, Aug 19, 2021 at 3:38 PM Wes Hardaker <wjhns1@hardakers.net> wrote:

>
> Folks,
>
> We've (Ash, Shumon, Todd and I) have taken the notes from the discussion
> to produce a new version of the charter that we hope addresses the
> points raised during the IETF111 BOF.  I've created a new pull request
> to Michael's repo here:
>
>     https://github.com/mcr/danish-bof/pull/9
>
> Please feel free to make any comments about the wording/etc as needed
> (soon please).
>
> Note that we did change the name to DANCE per general agreement in the
> BOF chat, etc.  That brings some confusion, as people have pointed out,
> but it's better to do so now if possible rather than later to remove the
> more specific IoT component in the name.
>
> Additionally, if you support the formation of this working group and
> haven't spoken up in support of it yet, please do so now (even a +1 is
> good and appreciated, but indicating you'll review/comment/implement is
> of course better).
>
>
>
> Full text:
>
> # Charter proposal for an DANCE WG
>
> - Name: DANE Authentication for Network Clients Everywhere (DANCE) [TBD:
> verify]
> - Revision: 1.3.0
>
> ## Objective
>
> The DANE Authentication for Network Clients Everywhere (DANCE) WG seeks to
> extend DANE to encompass TLS client authentication using certificates or
> Raw Public Keys (RPK).
>
> ## Problem Statement
>
> The process of establishing trust in public-key-authenticated identity
> typically involves the use of a Public Key Infrastructure (PKI), and a
> shared PKI root of trust between the parties exchanging public keys. A
> Certification Authority (CA) is one example of a root of trust for a
> PKI, which can be then used for establishing trust in certified public
> keys.
>
> The DNS namespace, together with DNSSEC, forms the most widely-recognized
> namespace and authenticated lookup mechanism on the Internet.
> DANE builds on this authenticated lookup mechanism to enable public
> key-based
> TLS authentication which is resilient to impersonation, but only
> for TLS server identities.
> However, DANE did not define authentication for TLS client identities.
>
> <!-- defines a lookup mechanism for TLS -->
> <!-- server identities and a published trust-path to their public key. -->
>
> In response to the challenges related to ambiguity between identically
> named identities issued by different CAs, application owners
> frequently choose to onboard client identities to a single private PKI
> with a limited CA set that is specific to that vertical.  This creates
> a silo effect where different parts of large deployment can not
> communicate.  Examples of where DANCE could be useful includes SMTP
> transport client authentication, authentication of DNS authoritative
> server to server zone file transfers over TLS, authentication to DNS
> recursive servers, and Internet of Things (IoT) device identification.
>
> ## Scope of work
>
> DANCE will specify the TLS client authentication use cases and an
> architecture describing the primary components and interaction patterns.
>
> DANCE will define how DNS DANE records will represent client
> identities for TLS connections.
>
> DANCE will coordinate with the TLS working group to define any
> required TLS protocol updates required to support client
> authentication using DANE.
>
> The DANCE scope of work will be initially limited to just TLS client
> authentication.  Future work may include using client identifiers for
> other tasks including object security, or authenticating to other
> protocols.
>
> ## Deliverables:
>
> * DANCE architecture and use cases (IoT, SMTP client,
>   authentication to DNS services, ...) document (9 months)
>
> * DANE client authentication and publication practices (current draft) (6
> months)
>
> * A TLS extension to indicate DANE identification capability and the
>   client's DANE identity name (current draft) (6 months)
>
>
>
>
> --
> Wes Hardaker
> USC/ISI
>
> --
> Danish mailing list
> Danish@ietf.org
> https://www.ietf.org/mailman/listinfo/danish
>