Re: [Danish] Proposed WG Charter

Ash Wilson <ash.wilson@valimail.com> Mon, 14 June 2021 20:34 UTC

Return-Path: <ash.wilson@valimail.com>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602553A0AD6 for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 13:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mf280gXAhYDn for <danish@ietfa.amsl.com>; Mon, 14 Jun 2021 13:34:09 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74FEB3A0AD5 for <danish@ietf.org>; Mon, 14 Jun 2021 13:34:09 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id k11so38194048qkk.1 for <danish@ietf.org>; Mon, 14 Jun 2021 13:34:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=KMcTBlXVsAb/7JtBZ9W4vS7FpP5K7UEEhn8ZcKJviEM=; b=R3/yw0qhfBzc8WGwdW/aQddfwHlcFCNhvQuYWpHcweWaA/2RH6yiPpW4x1Dhs+2sxt 1qci12lOVPwwpcet+6n2p/3BOXttPUp5kLha3CmP8ZZGxJ/PYbpC8ARIOAUI5qG4XSVM yS4myzZVHvO5Dek3aVJJGqzU3HKhVaC7g4NSHcsUTsFgQbNRGhj8mwlBop1lAReVpZcR WqWt6GVdozFzaQ88r+0sjroOiiAqGU/QsyCgJQtGVhlZ+Lo7ycy/fQV5UZ+Tx1JVjnxZ 1a0FBHn815nirIcwFTI0Dkn7RIoZ9YBByP8g59FLcCNXLPgzzP9ekFg3M4B0C+ACo4da tpsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=KMcTBlXVsAb/7JtBZ9W4vS7FpP5K7UEEhn8ZcKJviEM=; b=Dmz/F4D1I1lt8uiGgwntczVJb8G1O1XeqNDIRQ9fU1FCHoe+eODonfvqTvL59fjDaM JEXCLznHfhTyqcyW+uihnXn3Dkwn7rfNL+rRPu+tuL60X3jlVYluHjW9GN6e7mXNzuyd fZK/5XceTGHnciYGDzy9u64aN63/4xtMX5WzTsSytMVG995YVXPP8uy1sJu0RcTcadkV Ls8MXQPs6S5XhX7MdW0Etykf0OtNaNxN+N9NkBtVsyr0x4sxPZ+Ylw1oFOzNTf6oZgYS r7UORfVNdKH1sAmgyH7PIP4LvuMXjVRG0wbWO9SFIxEu0HVQEvcx3KeMKpn06X+m2sKx WORg==
X-Gm-Message-State: AOAM5307k24+l2icSieEuLlkT+YIoqoJkYWaRzmihDuvMLOvHn/fyvnR jzHvzklmrU9HAOYoKke6L7zYmTJBJAOsYLUZRnHURHHfNdM=
X-Google-Smtp-Source: ABdhPJwiFM8S5Byw7m0s5EDRJHE9MoaH6t45Zh/zDcfb+yM4CHR899eZg7MmA48KGKyI8fRTQZhfYvTNMsbxMzbCSvw=
X-Received: by 2002:a05:620a:136b:: with SMTP id d11mr18308972qkl.423.1623702847596; Mon, 14 Jun 2021 13:34:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com> <YMZwG/l/pne2tHJF@straasha.imrryr.org>
In-Reply-To: <YMZwG/l/pne2tHJF@straasha.imrryr.org>
From: Ash Wilson <ash.wilson@valimail.com>
Date: Mon, 14 Jun 2021 13:33:56 -0700
Message-ID: <CAEfM=vT5PErjwY73gEEaFb7v84tdVSWb3p4efz_xL1gApFYvRQ@mail.gmail.com>
To: danish@ietf.org
Content-Type: multipart/alternative; boundary="00000000000073ba2705c4bfc71c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/s7nskJfpL-A-7sATwLYvg3nafkk>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 20:34:17 -0000

Hi Viktor,
Thanks for the detailed feedback! Responses in-line below...

On Sun, Jun 13, 2021 at 1:52 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Sat, Jun 12, 2021 at 08:25:07AM -0700, Ash Wilson wrote:
>
> > This is the final text for the proposed charter. We are seeking
> > support for the formation of the working group, as well as support for
> > implementation, adoption, and documentation efforts.
>
> I see that others have commented positively on the charter, and yet
> somehow for me it seems rather muddled.  It is not clear to me what
> the motivating use-cases really are, nor how DANISH would resolve
> the key difficulties in those use-cases.
>
> There is no explanation of whether the perceived barriers to DNSSEC
> adoption are on the authoritative or resolver side, or who are the
> primary intended users (consumer, enterprise, other?) for PKI a la
> DANISH.
>
I think that a proper survey to understand what DNSSEC adoption is
struggling would be a worthwhile endeavor, and registrars are in a
great position to do that well. The objections I've encountered to DNSSEC
(in having conversations with would-be implementers) relate generally to a
perception that the benefits do not outweigh the risks. Some of those risks
are related to technology challenges, and some relate to hiring the right
skillset to maintain and troubleshoot a DNSSEC-protected domain. In
changing the location of DNSSEC in the adoption path for DNS-based
identities, we allow organizations to experience some success and build
confidence in the DNS-based identity strategy, which will further
incentivize the eventual adoption of DNSSEC.


> > The now closed DANE working group (WG) produced a mechanism that
> > supported authentication of TLS server identities via a DNSSEC-secured
> > infrastructure.  Operational experience with DANE has validated the
> > utility of a DNS-enabled mechanism for discovering authenticated keys,
> > but has also shown that reliance on DNSSEC is a significant barrier to
> > adoption.
>
> The term "discovering authentication keys" is not defined here.  It is
> not clear that avoiding DNSSEC will make things simpler.  Which is the
> more important barrier here, zone signing, or access to validating
> resolvers?
>

Would replacing 'discovering authenticated keys' with 'discovering keys or
hashes to support TLS server authentication' remedy the lack of clarity?

A DNS-based public key discovery mechanism for authenticating message
signatures, which does not rely on DNSSEC, may be experimented with and
adopted by any domain. If DNSSEC is a requirement for the message security
use case (public key discovery for signature validation), then only 2.47%
of all .com domains may even experiment with it. Justifying a transition to
DNSSEC for an organization can be an uphill battle. If DNSSEC is a
requirement for further exploration of a strategy that's already shown
success, the chance of eventual adoption of DNSSEC will be greater.


> > The DANE AutheNtication for Iot Service Hardening (DANISH) WG seeks to
> > extend DANE to encompass TLS client and message sender identities.
>
> Extending DANE to client auth is certainly an option for "devices" that
> one might reasonably want to register in DNS.
>
> > DANISH will also define a mechanism for messaging use cases that
> > allows DANE DNS record types to be secured by the Web PKI as a
> > transition strategy for domain owners who have not yet implemented a
> > DNSSEC-based trust model.
>
> The phrase "DANE DNS record types" is not defined.  Nor is it clear what
> it might for DNS records to be "secured by the Web PKI".
>

Detail was intentionally left out of this part. We had some discussion at
the last BoF, and a draft process
https://datatracker.ietf.org/doc/draft-wilson-dane-pkix-cd/ also exists in
the form of running code. However, there may be a more elegant way to
approach this, and we didn't want to go into exhaustive detail on the
transitional mode when the final state (TLS protocol support for DANE
client identity) still needs more discussion and detail added to the
specification. This informed the timing components of the deliverables
section of this charter, where we expect to complete the specification for
the desired end-state, and then ensure the transitional mode is
appropriately aligned.


> Here you speak of "domain owners", placing the focus on the signer side.
> Signing domains, and keeping them signed, is at this point sufficiently
> easy, that there's no longer any justifiable reason to design
> work-arounds for barriers to zone signing.  If that's the obstacle, I am
> not at all sympathetic to ugly work-arounds that simply postpone doing
> it right.
>
> > A Certificate Authority (CA) is one example of a PKI which can be used
> for
>
> FWIW, the established term of art is "Certification Authority".
>
> > establishing trust in public keys. CAs only guarantee the uniqueness of
> an
> > identity’s name within the context of the CA, and multiple CAs may sign
> > certificates for different entities bearing the same name. DNSSEC is
> > another PKI, which is bound to the DNS namespace.
>
> The use of "uniqueness" here is rather unclear.  There's nothing wrong
> with multiple certificates each binding a key to some shared name, it
> just means that all the keys are associated with the same subject.  Nor
> is it necessarily a problem if such bindings are obtained from multiple
> CAs (provided they are all properly validated and authorised).
>

The challenge is in ensuring that an entity is bound to the correct role in
an application. If there is ambiguity in assigning information to its
source, or determining the appropriateness of a source for providing the
information to the application, then the information is not trustworthy. In
a broader context, machines are being trusted not only to collect
information and perform actions, but increasingly to decide when certain
actions are to be performed. A more concrete example might be a system
which manages the addition of chemicals (fluoride, etc) to a city's water
supply, in response to telemetry from sensors. If a sensor can be
impersonated via naming collision (intentionally or otherwise), a decision
made by a machine to react to sensor telemetry could have a profoundly
negative effect on the human population of the city.


> > The DNS namespace, together with DNSSEC, forms the most widely-recognized
> > namespace and authenticated discovery mechanism on the Internet.
>
> Not clear what this is intended to convey.
>
> An agreement on one namespace is essential for preventing naming
collisions.


> > DANE builds on this authenticated discovery mechanism to enable public
> > key-based TLS authentication which is resilient to impersonation, but
> > only for TLS server identities.
>
> More precisely, how one locates the relevant RFC6698/7671 TLSA records
> for use with TLS is presently only defined for the server side of a TLS
> connection.
>
> > The use of CA-based PKI alone for client and message sender
> authentication
> > creates the possibility of naming collisions when multiple CAs are
> trusted
> > within the same application.
>
> It is rather unclear what this is getting at.  Perhaps it i trying to
> evoke lack of effective name constraints in the WebPKI?


Yes, you are correct.

>
>
> In response to the challenges related to ambiguity between identities
> > issued by different CAs, application owners frequently choose to
> > onboard IoT devices to a single CA.
>
> Again, what exactly is this tryign to get at?
>

Time is spent onboarding devices to the same PKI, to avoid naming
collisions.

>
> > Expanding the use cases for DANE to support the representation of TLS
> > client and message sender identities will enable unambiguous
> authentication
> > across CAs, for client/server TLS sessions as well as message-oriented
> > information flows.
>
> It seems that solving "ambiguity" is a major concern.  So the term needs
> a clear definition and some motivating examples.
>

Ambiguity here refers to naming collisions possible when using multiple PKI
within the same application.
What do you think about using "naming collision-free authentication across
CAs" instead?

>
> > The greatest barrier to DANE adoption has been the DNSSEC requirement.
>
> But which barriers if any are applicable to the DANISH use-case?  DNSSEC
> zone signing?  DNSSEC resolution on roaming devices?  Or tools to
> automate publishing data in DNS (signed or not), monitoring, ...
>
> DNSSEC zone signing


> > DANISH will provide a method of certificate and trust chain discovery for
> > private PKIs,
>
> What is "trust chain discovery"?  How is different from including all
> the relevant certificates with the message?  What is "certificate
> discovery"?  What makes these relevant to IoT?


IoT applications frequently have network constraints which make the
in-message transmission of certificates and chains impractical or
impossible.

For example: A device uses a cellular connection to transmit water level
measurements to a central service, for a city's storm water management
application. Since falsified measurements could lead to chaos, we want
signatures on all of those measurements so that we have some measure of
sender authentication/attribution. The cellular bill would be substantially
higher if the cert/chain were transmitted along with every measurement and
signature. Compare that to just transmitting the measurement, the device's
DNS name, and a signature. The authenticating central application can then
use a less constrained network connection to perform out-of-band
certificate discovery, based on the sending device's name, found in the
message itself.

>
>
> to enable the messaging security use case, in a manner which will work
> > securely in the absence of DNSSEC.
>
> Why is avoiding DNSSEC simpler than making it more compelling to deploy?
>

Allowing some limited success with DNS-based identity is expected to
further incentivize adoption of DNSSEC. This isn't about avoiding DNSSEC.
Rather, it's about postponing the requirement so that an organization can
demonstrate value in an identity strategy that eventually requires DNSSEC.

>
> > -Scope of work
> > DANISH will specify the TLS session and message security use cases and an
> > architecture describing the primary components and interaction patterns.
>
> I think the charter should go some way to clarifying the intended use
> cases.
>
> --
>     Viktor.
>
> --
> Danish mailing list
> Danish@ietf.org
> https://www.ietf.org/mailman/listinfo/danish
>


-- 

*Ash Wilson* | Technical Director
*e:* ash.wilson@valimail.com

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.