[keyassure] Fwd: WG Action: DNS-based Authentication of Named Entities (dane)
Warren Kumari <warren@kumari.net> Sat, 11 December 2010 22:09 UTC
Return-Path: <warren@kumari.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAFEA3A6D4A for <keyassure@core3.amsl.com>; Sat, 11 Dec 2010 14:09:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.535
X-Spam-Level:
X-Spam-Status: No, score=-102.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CYNvzb6vvanX for <keyassure@core3.amsl.com>; Sat, 11 Dec 2010 14:09:32 -0800 (PST)
Received: from smtp.kumari.net (smtp.kumari.net [216.177.58.220]) by core3.amsl.com (Postfix) with ESMTP id 305DA3A6CC1 for <keyassure@ietf.org>; Sat, 11 Dec 2010 14:09:29 -0800 (PST)
Received: from [192.168.0.221] (unknown [64.13.52.115]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.kumari.net (Postfix) with ESMTPSA id 41EC0DEE30E; Sat, 11 Dec 2010 17:08:02 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Apple Message framework v1081)
From: Warren Kumari <warren@kumari.net>
Date: Sat, 11 Dec 2010 17:15:10 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <545CA231-56F6-43B0-8068-305CBA3966A9@kumari.net>
References: <20101210181705.EC6933A6CBA@core3.amsl.com>
To: keyassure@ietf.org
X-Mailer: Apple Mail (2.1081)
Subject: [keyassure] Fwd: WG Action: DNS-based Authentication of Named Entities (dane)
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2010 22:09:33 -0000
Hello everyone... Well, it is official, we are formally a Working Group -- I'd like to start of by thanking everyone for all of their input and help getting this formed, hammering out the charter, etc. So, as mentioned in an earlier mail, we are planning on hitting the round running -- as mentioned in a previous mail, Ondrej and myself have already asked Paul Hoffman and Jakob if they would be willing to author −00 of the protocol document (starting with the ideas from the three documents listed in the charter, augmented by the wide discussion that has happened since we submitted the charter) and they have graciously agreed to do so. We have also asked Matt Lepinski <mlepinski@bbn.com> to please serve as WG Secretary and would like to thank him for taking on this role... Once again, thanks all -- but this is just the beginning and we're (eagerly) expecting a bunch more work from y'all :-) W (A quick note on the name: Unfortunately KIDNS was viewed as too close to KITTEN -- I really wanted PUPPY, but we couldn't come up with a good (reverse) acronym, and DONKEY was ruled out -- so, we have settled on (great) DANE. Please note that the charter specifies what we work on, not the name....). Begin forwarded message: > From: IESG Secretary <iesg-secretary@ietf.org> > Date: December 10, 2010 1:17:05 PM EST > To: IETF Announcement list <ietf-announce@ietf.org> > Cc: warren@kumari.net, ondrej.sury@nic.cz, keyassure@ietf.org > Subject: WG Action: DNS-based Authentication of Named Entities (dane) > > A new IETF working group has been formed in the Security Area. > For additional information, please contact the Area Directors or the WG > Chairs. > > DNS-based Authentication of Named Entities (dane) > --------------------------------------------------- > Current Status: Active Working Group > > Chairs: > Warren Kumari <warren@kumari.net> > Ondrej Sury <ondrej.sury@nic.cz> > > WG Secretary: > Matt Lepinski <mlepinski@bbn.com> > > Security Area Directors: > Sean Turner <turners@ieca.com> > Tim Polk <tim.polk@nist.gov> > > Security Area Advisor: > Tim Polk <tim.polk@nist.gov> > > Mailing Lists: > General Discussion: keyassure@ietf.org > To Subscribe: https://www.ietf.org/mailman/listinfo/keyassure > Archive: > http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html > > Description of Working Group: > > Objective: > > Specify mechanisms and techniques that allow Internet applications to > establish cryptographically secured communications by using information > distributed through DNSSEC for discovering and authenticating public > keys which are associated with a service located at a domain name. > > Problem Statement: > > Entities on the Internet are usually identified using domain names and > forming a cryptographically secured connection to the entity requires > the entity to authenticate its name. For instance, in HTTPS, a server > responding to a query for <https://www.example.com> is expected to > authenticate as "www.example.com". Security protocols such as TLS and > IPsec accomplish this authentication by allowing an endpoint to prove > ownership of a private key whose corresponding public key is somehow > bound to the name being authenticated. As a pre-requisite for > authentication, then, these protocols require a mechanism for bindings > to be asserted between public keys and domain names. > > DNSSEC provides a mechanism for a zone operator to sign DNS > information directly, using keys that are bound to the domain by the > parent domain; relying parties can continue this chain up to any trust > anchor that they accept. In this way, bindings of keys to domains are > asserted not by external entities, but by the entities that operate the > DNS. In addition, this technique inherently limits the scope of any > given entity to the names in zones he controls. > > This working group will develop mechanisms for zone operators to > present bindings between names within their control and public keys, in > such a way that these bindings can be integrity-protected (and thus > shown to be authentically from the zone operator) using DNSSEC and > used as a basis for authentication in protocols that use domain names as > identifiers. Possible starting points for these deliverables include > draft-hallambaker-certhash, draft-hoffman-keys-linkage-from-dns, and > draft-josefsson-keyassure-tls. > > The mechanisms developed by this group will address bindings between > domain names and keys, allowing flexibility for all key-transport > mechanisms supported by the application protocols addressed (e.g., both > self-signed and CA-issued certificates for use in TLS). > > The solutions specified by this working group rely upon the security of > the DNS to provide source authentication for public keys. The decision > whether the chain of trust provided by DNSSEC is sufficient to trust the > key, or whether additional mechanisms are required to determine the > acceptability of a key, is left to the entity that uses the key > material. In addition to the protections afforded by DNSSEC, the > protocols and mechanisms designed by this working group require securing > the "last hop" by operating a local DNS resolver or securing the > connection to remote resolver - this WG will not specify new mechanisms > to secure that hop, but will reference existing specifications or > document existing methods in order to allow implementations to > interoperate securely. > > Initial deliverables for this working group are limited to distribution > of bindings between names within the zone operator's control and public > keys. More general statements of policy for a domain are out of scope, > and new tasks in this area may only be adopted through a re-chartering. > > The group may also create documents that describe how protocol entities > can discover and validate these bindings in the execution of specific > applications. This work would be done in coordination with the IETF > Working Groups responsible for the protocols. > > Goals and Milestones: > > Apr 2011 First WG draft of standards-track protocol for using DNS to > associate hosts with keys for TLS and DTLS > May 2011 First WG draft of standards-track protocols for using DNS to > associate hosts with IPsec > Sep 2011 Protocol for using DNS to associate domain names with keys for > TLS and DTLS to IESG > Sep 2011 Protocols for using DNS to associate domain names with keys > for IPsec to IESG > Nov 2011 Recharter >
- [keyassure] WG Action: DNS-based Authentication o… IESG Secretary
- [keyassure] Fwd: WG Action: DNS-based Authenticat… Warren Kumari
- Re: [keyassure] Fwd: WG Action: DNS-based Authent… Paul Hoffman
- Re: [keyassure] Fwd: WG Action: DNS-based Authent… Warren Kumari