[Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS

Eric Rescorla <ekr@rtfm.com> Sun, 03 November 2024 21:37 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C285FC151520 for <secdispatch@ietfa.amsl.com>; Sun, 3 Nov 2024 13:37:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsaEqeyyS4-D for <secdispatch@ietfa.amsl.com>; Sun, 3 Nov 2024 13:37:15 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58509C1DFD3D for <secdispatch@ietf.org>; Sun, 3 Nov 2024 13:37:15 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-e2915f00c12so3089834276.0 for <secdispatch@ietf.org>; Sun, 03 Nov 2024 13:37:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1730669834; x=1731274634; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hO/TxrMUDJ5ZweKxs7fgL3bNRYNhQynaExAIlFNVFNQ=; b=tGI3d8dKUhxfBDgFRa1s3FdK489BS/lRmU4SVB3u6CkSAL1AiVrW/MqxeCekk5YqGC iy/oWeFUlxvgwsYEaGnqOGmLPO01/YROsI2snLZ/ZtffCiaYJ+0ZYCAQMxFK8FTuthFX OPs+SwAa/yJBifsWe54LHc0vE0clj2Dz5YxHzPUfcQXf1BIjJwKb8mVFPOqxvDCldmrK XztQmJQs9GRz0+yqzVYLtKPwsIBeku6M8GyQftMyUnBc+14HtGgurTyqleDa5v5SfL+2 cyPNRrJ2npd4aC3CVhZNb/ekZiJ7wHB1T8ri6GDRSIiCLMtPOVQkXaMPW40kt/x3xgYw P9Qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730669834; x=1731274634; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hO/TxrMUDJ5ZweKxs7fgL3bNRYNhQynaExAIlFNVFNQ=; b=j77ABjb7O8RLOgxPrbYnnI0qSyw62ahkgrc5EFEqq3DL4wdR/T2qY/xuvR3iGwzWCv U9mK/RazNZVuoFZ/IBvpBX94phpvWOZmx+qu0IiNrvzspcOzMqjY9TIgv/cTS9VJqitk 5VHVRo7C6r45JKBnHTWAACCRq7bPISyBvUPOAFbbvKzG5s7WB+BnVDoLpo+M5ZAaw5+0 gohGi/lI34Zv058JlYKcQRt8/zG1bZP44w5rDQSk5KmO0rfz1ryW9nu+dZc+vKnhFhT5 aioZq03TrEd1aX/Q4K9iK2iVH7Wlt37si7bzGhZg67HX935uHaFO7nkDAwTtJYS0fLX0 iaWA==
X-Forwarded-Encrypted: i=1; AJvYcCUugMQxZeWhLXeFabGcAG81OIvOZe67sBA8Ca7dUUy65DGjicBeJ4fWEGrxqL9tPk4Ar80JRzIUUZiPCA==@ietf.org
X-Gm-Message-State: AOJu0YwVoGnGLBVJgettjGH0jBLSl+MqbtAYUGHd3LyFTD23poaFsU2m 8EloO+eLLgEHtL/gLFaw2VNK2SRIB50PhNZ4CiAq5F7NnOEy6CmzzVI9XQWfAIptjX5ptyJQOdM LxPMZJ/Xlzo8S0YIwfK/uew7YnEkqsruMR5D9bw==
X-Google-Smtp-Source: AGHT+IHEy5CFdJ5D27irBii/lY98DuGa+rKTDGtGBi6qcE5e3aBg6F9hcomGg05hkzDQ2Zz0TdvAifG3xSYejK/GFfw=
X-Received: by 2002:a05:6902:1083:b0:e30:e39b:9d72 with SMTP id 3f1490d57ef6-e30e39ba231mr13533670276.16.1730669834125; Sun, 03 Nov 2024 13:37:14 -0800 (PST)
MIME-Version: 1.0
References: <YT2P288MB0252E6E515F3E9A5833C32488A952@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <YT2P288MB02523F41AE4C3EBCDE33D38C8A962@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <CADNypP9-Zk3B_hwvpk9z2mQhfxPbgp0g_BFDgj09B=aBOZ_egw@mail.gmail.com>
In-Reply-To: <CADNypP9-Zk3B_hwvpk9z2mQhfxPbgp0g_BFDgj09B=aBOZ_egw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 03 Nov 2024 13:36:38 -0800
Message-ID: <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000afe539062608f8c7"
Message-ID-Hash: TQHY4Q5KYZ7TE66J3A4R7TY6EZ2U3MFP
X-Message-ID-Hash: TQHY4Q5KYZ7TE66J3A4R7TY6EZ2U3MFP
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Jesse Carter <Jesse.Carter@cira.ca>, Mathieu Glaude <mathieu@northernblock.io>, Tim Bouma <tim.bouma@dgc-cgn.org>, Jim Fenton <fenton@bluepopcorn.net>, "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/0BoTdpI2E-eYirc0QT0UJd5igIg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>

DISPATCH COMMENTS
I do not think that the IETF is the proper location for this
document. DIDs are not an IETF product and there's very little
IETF-specific in this WG. The appropriate place for this work is in
the W3C DID WG. I might feel differently if the W3C were to sendd us a
liaison statement asking us to pick up this work.


TECHNICAL COMMENTS

* did:web
I understand the design you have for did:X where X != Web, where
there is a signature from some key that is in the DNS. But
with did:web, it seems like instead the key is being used to
validate the TLS connection to the Web server? This seems
quite a bit weaker. Why not sign all th time?

* DNSSEC
I think this really needs to require DNSSEC all the time. I
have concerns about the deployability of DNSSEC, but I don't
see how this mechanism adds real safety without that.

S 3.3.
   The association to a domain stemming only from the did is
   unidirectional.  By leveraging URI records as outlined in
   [DID-in-the-DNS], we can create a bidirectional relationship,
   allowing a domain to publish their associated DID in the DNS.

   *_Ex: _did.example-issuer.ca IN URI 1 0 “did:web:example-issuer.ca”_*

   This relationship enhances security, as an entity would require
   control over both the DID and the domain’s DNS server to create this
   bidirectional association, reducing the likelihood of malicious
   impersonation.

I don't follow how this works. Once you are signing using a key
in the DNS, how does this new record help?


S 3.4.3.

   Hosting the public keys in TLSA records provides a stronger mechanism
   for the verifier to verify a did and its associated entity with, as
   they are able to perform a cryptographic challenge against the DID
   using the corresponding TLSA records, or against the domain using the
   corresponding [verificationMethod] in the DID document.  The
   accessibility of the public keys is also beneficial, as the verifier
   does not need to resolve the DID document to accesss its associated
   key material, enhancing interoperability.

I'm not sure what you are contrasting hosting the keys in DNS to. Can you
expand.





On Mon, Sep 9, 2024 at 10:44 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
wrote:

> Thanks Jacques!
> We will add it to the list of topics to discuss.
> Will you be attending in person or remote?
>
> Regards,
>  Rifaat
>
>
> On Thu, Aug 29, 2024 at 8:57 AM Jacques Latour <Jacques.Latour=
> 40cira.ca@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>>
>>
>> ACME recommended this should be sent here for considerations.
>>
>>
>>
>> Looking forward to see what you think and where home is 😉.
>>
>>
>>
>> Jacques
>>
>>
>>
>>
>>
>> *From:* Jacques Latour <Jacques.Latour@cira.ca>
>> *Sent:* August 28, 2024 4:30 PM
>> *To:* acme@ietf.org
>> *Cc:* Jacques Latour <Jacques.Latour@cira.ca>; Jesse Carter <
>> Jesse.Carter@cira.ca>; Mathieu Glaude <mathieu@northernblock.io>; Tim
>> Bouma <tim.bouma@dgc-cgn.org>
>> *Subject:* Request for Review and Adoption of Internet Draft: High
>> Assurance DIDs with DNS
>>
>>
>>
>> Hi all!
>>
>>
>>
>> First time asking for an internet draft adoption.
>>
>>
>>
>> ·
>> https://datatracker.ietf.org/doc/draft-carter-high-assurance-dids-with-dns/
>>
>>
>>
>> As one of the authors of the internet draft titled "High Assurance DIDs
>> with DNS" (draft-carter-high-assurance-dids-with-dns), I am writing to
>> request the ACME Working Group to review and consider adopting this draft
>> as part of your working group.
>>
>>
>> The draft proposes a method for integrating high assurance Decentralized
>> Identifiers (DIDs) with the Domain Name System (DNS), aiming to enhance the
>> security and reliability of DIDs by leveraging the established trust
>> infrastructure of DNS. We believe that this integration aligns well with
>> the goals and expertise of the ACME Working Group, particularly in the
>> areas of secure and automated certificate management.
>>
>> We would greatly appreciate the opportunity to present this draft to the
>> working group and discuss its potential benefits and implementation
>> details. Your feedback and guidance would be invaluable in refining the
>> draft and ensuring its alignment with the broader objectives of the IETF.
>>
>> Please let us know if there are any specific procedures or additional
>> information required for this request. We are eager to collaborate with the
>> ACME Working Group and contribute to the advancement of secure and reliable
>> internet standards.
>>
>> In terms of support and reference for this draft, we have the following
>> references that may help justify our ask.
>>
>>
>>
>> ·
>> https://dhs-svip.github.io/requirements-for-decentralized-identity/TrustArchitecture/
>>
>> ·         DID Specification Registries (w3c.github.io)
>> <https://w3c.github.io/did-spec-registries/#dnsvalidationdomain>
>>
>> ·         Trust DID Web - The did:tdw DID Method (bcgov.github.io)
>> <https://bcgov.github.io/trustdidweb/>
>>
>>
>>
>> Example DNS implementation:
>>
>>
>>
>> $ dig _did.trustroot.ca uri +dnssec +multi
>>
>>
>>
>> _did.trustroot.ca.      3518 IN URI 0 0 "did:web:trustroot.ca"
>>
>> _did.trustroot.ca.      3518 IN RRSIG URI 13 3 3600 (
>>
>>                                 20240905000000 20240815000000 17999
>> trustroot.ca.
>>
>>
>> 4CJsquY7BEcA2YX1iWHIKzXx4lEvWa7k8JWNbp4zu3dp
>>
>>
>> KQXdwZ73geTKgzfNz9g5+HyckxTyNyz8LU8lA+G4lg== )
>>
>>
>>
>> $ dig _did.trustroot.ca tlsa +dnssec +multi
>>
>>
>>
>> _did.trustroot.ca.      3527 IN TLSA 3 1 1 (
>>
>>
>> CEEAD59AAE176DDD8889DF0B02083CB393D07655CBA9
>>
>>                                 D668EA334ABDBDB72A39 )
>>
>> _did.trustroot.ca.      3527 IN TLSA 3 1 0 (
>>
>>
>> 302A300506032B6570032100C300A443F0427440AC90
>>
>>
>> BDA85B4F97896879564A7AB649B976FA7D15FEAFC225 )
>>
>> _did.trustroot.ca.      3527 IN RRSIG TLSA 13 3 3600 (
>>
>>                                 20240905000000 20240815000000 17999
>> trustroot.ca.
>>
>>
>> z/E+jECtQzNi0zcBcrVa8P8UKiHx5SHcSEmN2vR6Oe4t
>>
>>
>> nfvjso/8/ZXo/IlWtoqgIYrCeJJ9NLFTu/q0cGwUIg== )
>>
>>
>>
>> Thank you for your time and consideration.
>>
>> Best regards,
>>
>> Jacques, Jesse, Mathieu and Tim.
>>
>>
>>
>>
>>
>>
>>
>> CLASSIFICATION:CONFIDENTIAL
>> _______________________________________________
>> Secdispatch mailing list -- secdispatch@ietf.org
>> To unsubscribe send an email to secdispatch-leave@ietf.org
>>
> _______________________________________________
> Secdispatch mailing list -- secdispatch@ietf.org
> To unsubscribe send an email to secdispatch-leave@ietf.org
>