[SCITT] FW: FYI: Feedback received on the ztdnaid URI scheme request
Dick Brooks <dick@businesscyberguardian.com> Mon, 18 May 2026 18:33 UTC
Return-Path: <dick@businesscyberguardian.com>
X-Original-To: scitt@mail2.ietf.org
Delivered-To: scitt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E9D6FF04917E for <scitt@mail2.ietf.org>; Mon, 18 May 2026 11:33:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779129221; bh=yVm0SpNqMIT88M1zu+WqEjnJx7q4RhCh118ZKyxYfog=; h=Reply-To:From:To:References:In-Reply-To:Subject:Date; b=okgR/diKwv8iH1leTquLiYgRycjMmdVa2DdzYSs9NFetFkZAdEq9pD5RLgAKtqcfW t4BpUaOGN8znHDJX0LnxVomBgTPLJhUhE7dv76BSTLTtuTVVZ19/CNgeblM2pn5HWx bnPEgfZwwmCY9B22KsHn8ajkwPdEkKypU9151kns=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=businesscyberguardian.com header.b="R2Hx0kXt"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="nW66l2UI"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IX1oQsKOZy9u for <scitt@mail2.ietf.org>; Mon, 18 May 2026 11:33:40 -0700 (PDT)
Received: from fout-a5-smtp.messagingengine.com (fout-a5-smtp.messagingengine.com [103.168.172.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 908B8F049169 for <scitt@ietf.org>; Mon, 18 May 2026 11:33:40 -0700 (PDT)
Received: from phl-compute-07.internal (phl-compute-07.internal [10.202.2.47]) by mailfout.phl.internal (Postfix) with ESMTP id 7C710EC02BF for <scitt@ietf.org>; Mon, 18 May 2026 14:33:40 -0400 (EDT)
Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-07.internal (MEProxy); Mon, 18 May 2026 14:33:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= businesscyberguardian.com; h=cc:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:reply-to:subject:subject:to:to; s=fm3; t= 1779129220; x=1779215620; bh=H3K0sUCWFulmVqVZXWPTBny6sqvfVDYf1Ix ivgw0E84=; b=R2Hx0kXt/NWcDCq3ukqB1yEIzngI3o++sshOTi0bH7b3tEJuad3 B6pAzk9skCR0Uxnqf8+XwnNJz994ga/O/DXOz7ojHHzfri/4BB8wLbJtFTrJdy2v ZHlIfUoQa3QoAQk+dGaegIauDl4o8y6EBR7t6CtoHOYI5bpXh7LDpuXGZ8FAWHGr nHAKwqTQs/5tMiS/cP2VLO8OaW5x4IhAYTz5h+6GoFUUCfGxNKq5egFScJc4LXg7 mFLUk5/pHYkGrV7Bg1Et9iT/gwRmXjpUmcPy/n2ROsLy8qgOaHyr29BL9Y2ESOV7 Mj8wb803/pXQ5sev0M6abba0jEJKg82HT5w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:reply-to:subject :subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1779129220; x=1779215620; bh=H3K0sUCWFulmVqVZXWPTBny6sqvf VDYf1Ixivgw0E84=; b=nW66l2UIFvFP4OpodmgLyS1j/hZ03T7YrnhKH1rGk4om uvbYHmMT5a27C6byQUJYDIpV8orHH8whc4aTM45nJkHLlkI30O2M/DsdCa/LWIOR luoJRuQjytbHBbFR7gHc0LZIAP3j+rf904bMbi9z/P3poWKSrzoBZvEnzQKajfn5 jYi+NNUVEgPx3JCXIbY1RQkz6lU/NYg0CNDAv+AkEBj3SS/ACwTf+Bmccb/vBq3s VPXSCsp6BHL9STdMEYVYJlLmi5FRSpvZ2M3392kl1goC0GoJkOa0QGRSb1oCMHSQ 8fbcC+m+/qD7oACM9YHnQSEVmj3qLzOGMToovAUmnA==
X-ME-Sender: <xms:hFsLauCOQiRd_2k4O1szCdSqvVnjRfgn8rMcH6lJlTzdyZsdqVn00Q> <xme:hFsLauam0aXp5M9whp0VRwYsTQsDOncMRZRIoqRJd-MEhzFYUgZ67dETGG_L460F8 pX2BOmWaMwkdaApdwHdguzlKsnavz0dMOuUBxrN446RuDYy13Risw>
X-ME-Received: <xmr:hFsLasqA704AJ-VJLZ1cH9cgcIBIhxictBTYAJSXeOR8NIPXMnPXgbA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefhedrtddtgddufeeliedtucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpehrhffvfhgjufffohfkgggtofhtsehrtd hgpedvtddvnecuhfhrohhmpedfffhitghkuceurhhoohhkshdfuceoughitghksegsuhhs ihhnvghsshgthigsvghrghhurghrughirghnrdgtohhmqeenucggtffrrghtthgvrhhnpe dukeekgeeghefhteehfeduteevleejhffhjeduueehueefvdehveekkeelleeihfenucff ohhmrghinheprhgvlhhirggslhgvvghnvghrghihrghnrghlhihtihgtshdrtghomhdpsg hushhinhgvshhstgihsggvrhhguhgrrhguihgrnhdrtghomhenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeguihgtkhessghushhinhgvshhstg ihsggvrhhguhgrrhguihgrnhdrtghomhdpnhgspghrtghpthhtohepuddpmhhouggvpehs mhhtphhouhhtpdhrtghpthhtohepshgtihhtthesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:hFsLaplmh1b9HQ7abGgA2NQickIntCoNpI7pkbCdKDP4Vj2EQlz0eA> <xmx:hFsLam2QAj0xAHHLZqhhniRfVbIMNxRccJG0qZ29Veo8pHt8aeTgpA> <xmx:hFsLapDtylrVj8sbEPIi14YgELRvbUkflt3PGFsBZ5f4Ti4JregBJw> <xmx:hFsLarx7u3s3lqkSsrlKdiJQzSuOBr7AGbeNClsgHrfnIEurlsCwWA> <xmx:hFsLasQsbUT9NZCLqxf0oZyg7Lk8DQELNikvczOb4a3GkGMyJJg_cHpJ>
Feedback-ID: i99214975:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <scitt@ietf.org>; Mon, 18 May 2026 14:33:40 -0400 (EDT)
From: Dick Brooks <dick@businesscyberguardian.com>
To: 'scitt' <scitt@ietf.org>
References:
In-Reply-To:
Date: Mon, 18 May 2026 14:33:37 -0400
Organization: Business Cyber Guardian
Message-ID: <0d5801dce6f4$d89bf360$89d3da20$@businesscyberguardian.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0D59_01DCE6D3.518B3DC0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEWu4VAAcgDR/BEbS4UwfRiodDPRLegb1NA
Content-Language: en-us
Message-ID-Hash: PZWMLHX5ALUR7HBID7YWV3W2XLO3EAWG
X-Message-ID-Hash: PZWMLHX5ALUR7HBID7YWV3W2XLO3EAWG
X-MailFrom: dick@businesscyberguardian.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: dick@businesscyberguardian.com
Subject: [SCITT] FW: FYI: Feedback received on the ztdnaid URI scheme request
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/6vcaBjKko3I6Ujkjvu1AL84_keg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Owner: <mailto:scitt-owner@ietf.org>
List-Post: <mailto:scitt@ietf.org>
List-Subscribe: <mailto:scitt-join@ietf.org>
List-Unsubscribe: <mailto:scitt-leave@ietf.org>
FYI, feedback regarding my ztdnaid URI scheme used to assert a Zero Trust
identity, which can be validated using a Trust Registry, like SAG-CTR.
I sent this to the uri list today.
From: Dick Brooks <dick@businesscyberguardian.com>
Sent: Monday, May 18, 2026 2:15 PM
To: 'uri-review@ietf.org' <uri-review@ietf.org>
Subject: FYI: Feedback received on the ztdnaid URI scheme request
Hello,
I have received critical feedback about the proposed ztdnaid scheme, which
I created specifically to enable the DOD/DOW DIB to implement a low cost,
light weight Zero Trust implementation in practice without the complexity of
SPIFFE AND SPIRE.
DIB = Defense Industrial Base.
Here are the two criticisms I have received:
1. The Digital DNA ID DDR record could be easily guessed which makes
the ztdnaid easily guessed
2. This seems to compete with the NIST recommendations of SPIFFE and
SPIRE for Zero Trust identities
Responses:
1. The example DDR record contained in the ztdnaid URI scheme Internet
Draft is simply an example. I've been recommending that DIB users create
DDR's that are not easily guessable, i.e.
Entity ztdnaid = sha256("OwnerInformation/EntityInformation/EntityUUID")
Resource ztdnaid =
sha256("OwnerInformation/ResourceInformation/ResourceUUID")
The ZTBOND record, used to verify a trust relationship between an Entity and
Resource contains:
Zero Trust Bond ztdnaid = sha256("ZeroTrustDomainIdentifier, Entity ztdnaid,
Resource ztdnaid")
None of these ztdnaid's is easily guessable and are unlikely
to be successful in a brute-force attack.
2. In the past. NIST recommended the use of SPIFFE and SPIRE to assert
a Zero Trust identity. But this can be a heavy lift for many smaller DIB
entities. The ztdnaid is deliberately light weight and well within the reach
of many DIB entities. They simply need to use a text editor, like notepad,
to create 3 text files:, 1 containing the ZTEntity DDR, 1 containing the
ZTResource DDR and a ZTBond DDR for each "trust relationship" between a
Resource and an Entity. The max DDR records are, one per Entity, one per
Resource and one "trust bond" per trust relationship, max number of records
= Count(Entity)*Count(Resource). Each DDR translates into a single ztdnaid
that is used to check zero trust against a high integrity "Trust Registry",
like SCITT.
DIB entities only need a text editor, like notepad, to create their DDR
files which can be registered in a Trust Registry, like SAG-CTR.
I hope you will consider these insights when you take up the ztdnaid URI
scheme proposal.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Lifetime IEEE Member
Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products> T
Risk always exists, but trust must be earned and awarded.T
<https://businesscyberguardian.com/> https://businesscyberguardian.com/
Email: dick@businesscyberguardian.com
<mailto:dick@businesscyberguardian.com>
Tel: +1 978-696-1788