[saag] DOSETA paper for the W3C Identity in the Browser Workshop
Dave CROCKER <dhc2@dcrocker.net> Thu, 28 April 2011 01:07 UTC
Return-Path: <dhc2@dcrocker.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847EDE08AD for <saag@ietfa.amsl.com>; Wed, 27 Apr 2011 18:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.438
X-Spam-Level:
X-Spam-Status: No, score=-7.438 tagged_above=-999 required=5 tests=[AWL=1.162, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceTWntDU8MX0 for <saag@ietfa.amsl.com>; Wed, 27 Apr 2011 18:07:28 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id 43966E0800 for <saag@ietf.org>; Wed, 27 Apr 2011 18:07:28 -0700 (PDT)
Received: from [192.168.1.4] (adsl-67-127-56-68.dsl.pltn13.pacbell.net [67.127.56.68]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id p3S17MnX015887 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <saag@ietf.org>; Wed, 27 Apr 2011 18:07:27 -0700
Message-ID: <4DB8BDBD.9080604@dcrocker.net>
Date: Wed, 27 Apr 2011 18:07:09 -0700
From: Dave CROCKER <dhc2@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: saag@ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Wed, 27 Apr 2011 18:07:28 -0700 (PDT)
Subject: [saag] DOSETA paper for the W3C Identity in the Browser Workshop
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2011 01:07:29 -0000
Folks, Since I've been shopping this to every IETF venue I can get away with, I'll choose to use the thread on Sean and Stephen's W3C Identity paper as an excuse to burden this list with my own paper on Domain Security Tagging (DOSETA) and would appreciate any comments. d/ ----------- Tailored Signatures with DOSETA D. Crocker Brandenburg InternetWorking bbiw.net April 27, 2011 Abstract Trust begins with a verifiably correct identifier, coupled with claims about the meaning of the identifier’s presence. To date, Internet-scale authentication services have achieved limited deployment and less use, often with far more restricted actual semantics than are assumed by users. Domain Security Tagging (DOSETA) creates convenient specification, development, deployment and use of trust-related identifiers, by generalizing upon the core mechanisms of DKIM. Hence the effort needed for development and use of new authentication services is minimized. DOSETA is based on domain names as (organizational) identifiers and self-certifying keys stored in the Domain Name System. This paper summarizes the scope and details of DOSETA and describes an initial application for signing MIME objects. Introduction What does a signature mean? In the paper world, it might mean authorization for a charge on a credit card, or acknowledgment that a letter has been received, or the sale of a house. The language surrounding the signature defines its meaning. In the digital world, existing signature mechanisms typically are not as flexible. The meaning is built into the specification for a particular signature and the effort to create a new type of signature is typically quite high. Consequently, there is a very small range of digital signatures performed on the Internet today. What if it were easy to define a new type of signature with new semantics? This is not an issue of basic algorithms, but of defining the semantics and the packaging, along with a small matter of a certificate authority, to start the trust hierarchy, and of deployment and use effort. DOmain SEcurity TAgging [DOSETA] provides this flexibility and ease. It is based on the core mechanisms from [DKIM], extracted into a library of protocol components that minimize the incremental effort to develop a purpose-built data signature mechanism.^^1 <#sdfootnote1sym> This protocol design library is used by a signature protocol designer to provide a high point of specification departure, primarily limited to definition of semantics and mapping from a template to the specifics of the environment for the new signature. The core DOSETA services include: 1. A standardized mechanism for access to a signature’s public key, using existing infrastructure. 2. A packaging method for associating key-related information with the data being signed, in a manner that can be invisible to a non-participating receiver of the data. 3. A basic set of cryptography algorithms, but this is extensible by registration. 4. A basic set of algorithms for data canonicalizations, to withstand small changes to the data when it is in transit, but this is extensible by registration. This core is enhanced with a “template” for performing object-oriented authentication on data that conform to a classic header/content model. The template supports asserting a list of signature semantic “claims” through an extensible registry. Hence, a signature can assert multiple meanings, such as validation of the purported author and validation of the content. An object-oriented approach is distinguished from a channel-oriented approach, such as SSL/TLS. The philosophical difference essentially means that a channel-oriented scheme protects the path and does not care what bits pass over it. An object-oriented scheme protects a package of data and does not care what path the data travel. DOSETA is based on some simplifying assumptions: 1. Signatures are by organizations, not individuals. Hence, the identity and naming mechanism is relatively coarse-grained, specifically in the form of a domain name. (It is possible to use domain names to refer to individuals, but this has not typically proved practical at scale.) 2. Signature keys are self-certifying. Because a domain name is the signature identifier, a public key that is associated with the signature is stored under that name in the DNS. The premise is that the owner of the domain name controls what is put into the DNS under that name. Self-certifying keys have significant appeal, but they also have limitations for use. Some signatures really do need to be vetted by an outside trust authority. DOSETA does not (currently) satisfy such a requirement, when asserted. To the extent that higher-valued signature assurances are needed, adding in the use of DNSSEC can be helpful to reduce a concern that an independent agent might have modified the DNS records under the name. Key Storage DOSETA re-uses the DKIM/DomainKeys key storage mechanism. This employs a DNS TXT resource record, containing public key parameters to be used when validating a signature. A key query is made to the domain name: /<selector>/*._domainkey.*/<domain>/ where: /domain:/ is the identifier used to do the signing. /selector:/ is an administrative qualifier, which supports use of multiple keys for the same identifier, such as to permit multiple individuals being able to sign, or to permit rolling over to a new key in a graceful manner. The full string is used to do a retrieval, but the string that specifies the signing “identifier” is only the base /<domain>/ string. The constant string “_domainkey” is used to signal that the sub-tree provides attribute information to the parent domain, in this case the parameters for a public key. The key storage mechanism re-uses the DKIM/DomainKeys name format on the theory that there is no added security in defining a different scheme and name tree, such as using a different “underscore” constant string, and that there is considerable administrative benefit in avoiding the effort to create and maintain a new set of keys. However, it is a small matter for any new protocol designer to create a new naming tree, by specifying a different constant. (Populating and maintain a new tree of keys will be less easy.) Packaging of Parameters Digital signature mechanisms usually impose their presence on the receiver of data. [OpenPGP] has specialized, in-line packaging. [S/MIME] uses MIME Multipart/Secure packaging. For recipients of the data who do not participate in the security mechanism, this largely renders the data unusable.^^2 <#sdfootnote2sym> In contrast, the DOSETA scheme puts the signature information into a separate header field, out of the way of software (and users) not prepared to process it. Within this header field, parameters use a simple attribute/value textual tagging format. Cryptographic Routines DOSETA re-uses the set of cryptography algorithms used for DKIM. These are defined as extensible sets, so that the effort of adding new algorithms is primarily the work of defining new registry entries. Data Canonicalization In transit, some services subject data to transformation, such as reducing a string of linear white space to a single string, or mapping newline to a particular character (or character pair.) Changes like these often are benign. They do not change the “meaning” of the data and it makes sense to define the signature in a way that is robust against the changes. DOSETA re-uses the two canonicalization schemes currently in DKIM. However, an additional scheme is being contemplated, to provide robustness against some additional transformations that appear to be common. Note, however, that the more robust a canonicalizations algorithm, the more opportunity there is for a bad actor to find a way to exploit the signature insensitivity. Signature Template DOSETA defines a generic signing protocol template, for data that has a header and separate content, such as email and MIME. A variety of other data formats appear to be friendly candidates for this model, such as JSON and XML. When conforming to the template, a new signature designer merely needs to define: /D-Signature association: / How is the signature data linked to the cover header and the content? /Semantics signaling:/ How does the consuming application detect that the signature is present? Although this will normally be accomplished by detecting the signature in a standardized header field that holds the signature attributes, other approaches might make sense in some situations. /Semantics: / The meaning(s) of a signature. A registry supports definition of multiple “claims” that can be listed and asserted by a signature. /Header/Content mapping:/ How are the actual header and content data for a particular signing service mapped from the generic DOSETA template? Claims Registry As described earlier, a signature can have different or multiple meanings. The DOSETA signature template defines a registry for signature semantics, so that one or more can be asserted at the time of signing. The initial entries for the registry are: /handled:/ The signer had a role in processing the object. (This claim is approximately equivalent to the semantics of DKIM.) /validauth:/ Purported author of object is valid /validdata:/ All of the content is valid. /validfields:/ The listed portions of the object are valid. MIME Authentication As an initial demonstration of DOSETA’s flexibility and utility, there is a definition of authentication for signed MIME bodies [MIMEAUTH]. To follow the template described above: /D-Signature association:/ The *Content-Authentication:* field is defined to hold the parameters /Semantics signaling/ The presence of a *Content-Authentication:* signals the presence of a MIMEAUTH signature. /Semantics:/ The meaning of a MIMEAUTH signature is asserted by listing one or more claims from the DOSETA Claims Registry. /Header/content mapping:/ Specified MIME fields map to the DOSETA template’s header and the MIME Body maps to the DOSETA templates content. DOSETA’s signature template re-uses an interesting feature from DKIM, namely the selective inclusion of header fields to be covered by the signature. The reason that not all fields are automatically included refers back to DKIM’s email context: In transit, some fields are added (and therefore can not be part of the signature) and some fields are subject to particularly violent transformations that would break the signature. In addition to permitting selective inclusion of MIME header fields, this mechanism permits selective inclusion of fields that are part of the container holding the data object. That is, the signature can also cover parts of the “parent” object, such as an email message header or an HTTP header. Hence, this mechanism can be useful for signing a web page. Status The DOSETA and MIMEAUTH specifications are quite new and are still going through early reviews. Early returns have been encouraging. The primary open source implementation of DKIM is [OpenDKIM]. There are plans to enhance the library so that it also support DOSETA and MIMEAUTH. References [DKIM] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., and M. Thomas, "DomainKeys Identified Mail (DKIM) Signatures", RFC 4871, May 2007. [DOSETA] Crocker, D. and Kucherawy, M., “DomainKeys Security Tagging (DOSETA)”, Work in Progress, <_http://datatracker.ietf.org/doc/draft-crocker-doseta-base/_>, March 2011. [MIMEAUTH] Crocker, D. and Kucherawy, M., “MIME Content Authentication using DOSETA (MIMEAUTH)”, Work in Progress, <_http://datatracker.ietf.org/doc/draft-crocker-doseta-mimeauth/ <http://datatracker.ietf.org/doc/draft-crocker-doseta-base/>_>, February 2011. [OpenDKIM] The OpenDKIM Project, <http://opendkim.org/> [OpenPGP] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, "OpenPGP Message Format", RFC 4880, November 2007. [S/MIME] Ramsdell, B. (ed), “S/MIME Version 3 Message Specification”, RFC 2633, June 1999 1 <#sdfootnote1anc>These core aspects of DOSETA were the essential contributions developed for DKIM’s predecessor, DomainKeys, by Mark Delany, then of Yahoo! DKIM was an evolution of DomainKeys. DOSETA is merely stealing these earlier innovations for re-purposing to other signing activities. 2 <#sdfootnote2anc>Note also that OpenPGP and S/MIME are typically tied to confidentiality content encryption, as well as signing. DOSETA can be enhanced to support confidentiality but it currently only has the task of authentication. -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [saag] DOSETA paper for the W3C Identity in the B… Dave CROCKER