[Secdispatch] Re: [EXT] Re: Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS

Jesse Carter <Jesse.Carter@cira.ca> Mon, 04 November 2024 15:03 UTC

Return-Path: <Jesse.Carter@cira.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67FEAC1E723C for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 07:03:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cira.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJDk8UrBxVdW for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 07:03:26 -0800 (PST)
Received: from CAN01-YQB-obe.outbound.protection.outlook.com (mail-yqbcan01on2109.outbound.protection.outlook.com [40.107.116.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECF34C1DA2E0 for <secdispatch@ietf.org>; Mon, 4 Nov 2024 07:03:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Lc5XNB/A1EV0203fjTUPkO6/eIBlzA14Qbl02fhfmUhGfdpFJm+cJoDC44EnYkdJ7HXT/gy161SL2rVZ8ma2Z4YjPDCQAjWrEyXk8KLEat6K5BUG4ysyZHgdD17Epqs29smjr571ii5UNx8mc8m7X6K8gVx5yesa2rEL7W8GO4ed8KAlHsxP31L5SicHrCpUcFtxcpTSJRJIsMNzM06inU567wwMf+vekoFtIlMjk8vMU3NGiu67cee6t8mlZnO5pJz3rAQh02kmcr4DHyo4Qs/1UvI+8iAcPxV+2ym7KXmfxt4dqpc6yg8Q7B+0aLdVZfotymONI1Ucvql3Vgwy7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vkJplhNqx3biSnOsG5KQyqB8515XzPcZj1PiPAIwQLM=; b=RsjP9wgDgizMrUWlgsKPAvwztdzttFZWLtOSqU3QhGeaEnNhFRloPdoH6wcvQ8ifuHM1twLWGnm5+q2sZPYUMcbkzpfl3s0KdyLB8EeFef3PZIKBqQNz4+lovV3lA4qsHivQ1wpuxz4o53oPIslF7IJL2W5DYSNi8nTi9HnLWoJ1HfgsbBYMv4X1Z/PGSKm/uyZ2AD+nLJIz2WyvAIG3pQ0I3dGbQPiRzwNgaGSn/qulpapZksPyGuJMDrWLBRGQ9q6l64Dz4p+0crpi0E1ip4+5qSttPaNghAVjhXet6BkHN3peqAminCMwAsXBE/WeWTK/bqkiINXfI+Lxeuoc9g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cira.ca; dmarc=pass action=none header.from=cira.ca; dkim=pass header.d=cira.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cira.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vkJplhNqx3biSnOsG5KQyqB8515XzPcZj1PiPAIwQLM=; b=OvVd0IZ1YDcGVvFYhusAVZMI2rFOB0d2M8ciArXv6HlCHl4gwQbdCXLAdSUkkHMvlWdzLKrs2+WMFRbcZlYQcdB61Pp624TkMx0VtBxYpEtLxHfiI3/r8rzalUTV3FfR7FOKuQpKOwc12L5yTyfSAwZXC8tVgp8fG5WGDWLNO1joHiC2zEkc+hjWemKrV7+psuiDyndcOQwBZMcu41oCURVGSCt9TuMdGsVSQBmYNy2GRjnQZG0X3HmWgGsoIKl+Gv+bZRfQIYvtCGmYWHPgxT+Y5rk5Q5Q5A8LqqQg3XQTR5+F1I28TvjUJEXYV0im8S1LamFatnZBrDLgUy0WsSQ==
Received: from YT2P288MB0314.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:f2::7) by YQBP288MB0018.CANP288.PROD.OUTLOOK.COM (2603:10b6:c01:74::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.31; Mon, 4 Nov 2024 15:03:19 +0000
Received: from YT2P288MB0314.CANP288.PROD.OUTLOOK.COM ([fe80::546a:b787:59f9:9bf8]) by YT2P288MB0314.CANP288.PROD.OUTLOOK.COM ([fe80::546a:b787:59f9:9bf8%5]) with mapi id 15.20.8114.031; Mon, 4 Nov 2024 15:03:19 +0000
From: Jesse Carter <Jesse.Carter@cira.ca>
To: Eric Rescorla <ekr@rtfm.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: [EXT] Re: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
Thread-Index: Adr5hgtZRoPehWV2Tdi/+m8w5NOlRQAjEiVgAjNemQAK1ioQAAAkg97A
Date: Mon, 04 Nov 2024 15:03:19 +0000
Message-ID: <YT2P288MB031459916AF82CF318E042C098512@YT2P288MB0314.CANP288.PROD.OUTLOOK.COM>
References: <YT2P288MB0252E6E515F3E9A5833C32488A952@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <YT2P288MB02523F41AE4C3EBCDE33D38C8A962@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <CADNypP9-Zk3B_hwvpk9z2mQhfxPbgp0g_BFDgj09B=aBOZ_egw@mail.gmail.com> <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
In-Reply-To: <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_ActionId=a79f3374-3ce3-42dd-8f0a-bd32a20b0540;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_ContentBits=0;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_Enabled=true;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_Method=Privileged;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_Name=Public;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_SetDate=2024-11-04T15:02:50Z;MSIP_Label_b68f241e-38ec-46a2-b287-b66348910c4d_SiteId=f349b30c-7550-4f17-88da-269417631f54;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cira.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YT2P288MB0314:EE_|YQBP288MB0018:EE_
x-ms-office365-filtering-correlation-id: 705d2e3d-dec4-4385-455d-08dcfce1d198
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|4022899009|38070700018|8096899003;
x-microsoft-antispam-message-info: z50y8D5m85rC/SrRnZ6jlRcCttrP5b+pXxrodTrlXBy/qIlIJAyL9LeEzd6qh03wR1BwjeG70sXgQBrDFiOrt7SZ2L3pRpj6tzpI5ncXQ75/L76u/BbWjxqLceAzGpi3uRwOwbfA2igRCLeH0LpZi5l+DoqSfmd8AfE47+FCB7P1VWv+CO6pKNdqybwQHJzi1Juptm2jcmHmH8sL2HhF7xUyCmMxeQQSLgsFqBI5q9hEnKHxG5N56MjhLXD/27zWVxus1Ei3x/ImbpyqTYb0TzqRzSW9FSH9O365GkxrrRcjwSPJY8fUeuEHa3yW3YL9+t2uyAjUttO4K9U/rgDjpEHo7QiESWxoO2FagzVjK5fAU7xq4GbItpsMo1x9/xcOPbYtkEHaLd4l3vsVv6M7FtcwnJwa1j0XIbEnjWcpsLUGSr8dUtNBfz3bjN/KP9E8IHQdOkQDiVLYIiXGYg4OTSFj3ZN+duXl3H7utk28niXp4fCWJa1eMzqk91+SODHuoDkfPzjPBpE4Wrc9D8u8XMKibbAMKctzeTQGVTyTKHXXzj62AKzqX5ugd3nHDwsVt7ZmvmnvfT7jkDgdd6F3v1Ijs4+cEGQfeS4v0Xl8+9uCN7gyStPRpqWVCFmdlL1mQuCgLx2iSF6G92iX7Df5IU2mIpAvBNOuhD9Qc2J1Y7JzUiNycHsMhT/kAXnASCxEe/aUbEstm+mf4vw0z35Ow7gsci6QrgDzKrlB4RKFr9Z7GG/SueYkDTHtgweDeGucrclEt4uxhLDeJua+OhA70P+gHHziiiAde7NVTe0JLgK4WS01Bjq9VbQni8Yv8stdWdvmaBOcHeL0cCJIKvYj+O88Ru9H3l+x511NyHWwcb99lXSmZUygNykR1viuzn9sUmObw1ibMUSa+Hk+p6iUnVzvzuYw9wBMCJFMvRSbBiWv3h8myJTkC2v1994KLqXhYPAoQSkRKeGINKUnlIe9mTF2bqqnyHwcj5yJPumwf7kMm+nX/DJkfrTbK+lqtZFkp4J1pUnzzMyGl1d/rw4mgzrX2eHD+xNpKlbSYocGnJDLNdlzOYGb0VbDKSz0ijJ334bqD3ONzLONJSais4SCRJr8n56GHEXodrqP7gu0oq94qk3zQZjXZ8sUFAX8qtn1u9q8tRx/tBCb+4TdyFZL6Sx0419kBzAyeMV+Pfv5hf1QzUrUJIMFFp26p/uU3o4qhts0Cw13+OlJzQjNwcR0L1eXq5TmXRiOsKx/MCUfjJ1x8HyfGYzDifPPNT3T0LCEDuwYQ0rbcRy7hxrobL7iN2yoCHyT/SoPESdXx7Au25S8W8xX6VNMdAai5/Tp37Jo
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2P288MB0314.CANP288.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(4022899009)(38070700018)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uHc7clAKxymOf6UCAqpIVjMo+bl/Fh9yrsLyySoI8AQCyyMjPtxu/gPSok3S2HEXCIUSpZvHQKjvmhzxWDQOuU+TeA+j5YP3GDPruagi3THc8rWmG/7dBhnpQ1GZ0K2YZb/N+Xd1hSHKkKceejF3U15Asf2wYH8HD+q+sO2CVuxq9BzZVr/f/0yIec5+qWfhw/W3rmbmjwFitEDsX3Tsdv8h6UCztKY/oNClGF5ZaR8JNtCHk1dBmoCgeLWyWl0HDRhvvGLkRnWyti06JBuRKJ9pV9bAjR6XW4WVZJYbrs9YGKVNY43m3WKrxpBUga2WFM1gQmfOPLzGprn7sxZ+5xnY2uWt4Hvi6eYumJjb9ig/oTKVrjlAFgw/kvkeC+2OocaTG9OqdRQnF+sd/IgzvWnvbmaBHDU0cMkWY99Noo3zSIkqLikTZduWsINEQJZa1ehFKBatIorjmxjNXmJguHPOSHvyRq8kNPw51bFPC+jSl4sPCtF14Fr1MktzLuNUFW+ERMpPTcR7ZOG5PbIWEzyPrjRiCzTz3e/nwpEiJDucUjJPx1ZzO2X/lxn2qFJEbXLPnzCl1F/l0fOx8dt5zkk4xEijWsF9UJJWtO6d4adpntcyWgX/90OYJOkNtMQhwedt6puZYgR3XagP78ITg6tShXygcq+cRXeA9uvQT2cTpjdCPzmuvcbWVZqFD9ZNBWfO+7vOAIRzuMxXdnh5PxeZx1sgODOqEE5EeQhFMeE8eYoMd7Oc4fojeDv1bx0qjJDHABDfa58aLkhkljLp3En+6hvnghL5XYeiOkk6QuUyMb1jRyWXhjYCgmy90sq2PD03cL7cYxm4OvzWFxg8ajX3ERq05R2sXa+8aBBMHucWV26awGtphQAjSzCfNFexJQGCUugPobiXCQXFKy/xkXlVcnEqTJ0DSHbOtwCZPw3SHQQuxF3VFUKKg9VhugkCX4vU5amIJH21uLeheNKtXlvVQYZAKdVCOnBcBu7NPqmRgv5TwkdPEHINzbHPth+04nVdj0IjTdCn7u+ZUjXlXZQWvuYKIkGrcVbAgrE5MtU+iuyyQWq1ybnaQ1Z4cuIGnwH62F4hENtGx590P/fD0itVJJcuhzUutbw+538sCDCWPlJt4bh2Wj+JXLad7j+FXykjtHiHbu86JSmidxxwxa1iyrzfPHw9NRmYBzTT+gZoZdsw/GJKSLrk0gM1H6pmBt51Z6PJbSpGRqrZPGwUUpAr/Y8w+ImqnnAkBZsmoX/KVEKjej6n9dJqIQgdMPQ0+NaehMELldXd7mDXRXPl6y3WJJ6g4QgfMAsx97t9SFQpUNSRhtVp9QGXZFW3rPFbzbPXThdpWytNdRR8X7NFpENYrD2SYEj7h5kNUEKuwIhJUU/IhTUquwBzN8b/MqE7fv55WT7dGIk6VjCCPKSk0ay6kuGihPxm7+Z3MP0JK7PgMEgTCiVrilTS8JXKgUhbvewukkg91WNDaYxa6uEA50KDqrdc41WAwuwxrNkKH0hgj9MWyw5RLyWS4Ystcw25nA2IjQC3iBNKig+folEcfrwySfg4i0yhdL8w4saKBTcHza8hE2sjVkKwlJpykfeM
Content-Type: multipart/alternative; boundary="_000_YT2P288MB031459916AF82CF318E042C098512YT2P288MB0314CANP_"
MIME-Version: 1.0
X-OriginatorOrg: cira.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT2P288MB0314.CANP288.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 705d2e3d-dec4-4385-455d-08dcfce1d198
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2024 15:03:19.3715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f349b30c-7550-4f17-88da-269417631f54
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nZvG2JKLEFAtVxi49BSCNsBMN0ciCYqKCGbBd6QKa579xqHXaiN3a7luDQ68rH0UdgRoV+x0h796BT3oMm0ZIw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBP288MB0018
Message-ID-Hash: ZEXM6S54LU6OUBAYYXH4YMHWTVH7HXN7
X-Message-ID-Hash: ZEXM6S54LU6OUBAYYXH4YMHWTVH7HXN7
X-MailFrom: Jesse.Carter@cira.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Mathieu Glaude <mathieu@northernblock.io>, Tim Bouma <tim.bouma@dgc-cgn.org>, Jim Fenton <fenton@bluepopcorn.net>, "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Secdispatch] Re: [EXT] Re: Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/11TPPpTZGmLCc5y4gIi-TJfx4HM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>

My apologies, I did not change the classification level of my previous message. Here is the same response with the appropriate classification.

Hey Eric, I appreciate your feedback. Hopefully I can provide some clarification on the points below.

We always sign the did documents, regardless of the did method. So did:web receives the same dataIntegrityProof treatment that any other did method does.

The URI record is used to indicate which dids are associated with that domain, by the domain. This prevents somebody from creating a DID and pointing it to a domain, and then requiring a resolver or someone interacting with the did to guess whether this association is being repudiated or not.

The contrast in the last statement is in comparison to DIDs without the added assurance of our DNS verification process. If a DID is claiming to be related to a given domain, but there is no way for the domain to repudiate or validate that association, that association cannot be taken seriously. This provides a way to affirm that association, while also duplicating the important information (PKI and ID) within the DID document across 2 completely separate sets of infrastructure, providing increased assurance that the information you are interacting with from that DID is what is intended, and indicating tampering or a potential issue when it doesn’t line up.




CLASSIFICATION:PUBLIC
From: Eric Rescorla <ekr@rtfm.com>
Sent: Sunday, November 3, 2024 4:37 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>; secdispatch@ietf.org; Jesse Carter <Jesse.Carter@cira.ca>; Mathieu Glaude <mathieu@northernblock.io>; Tim Bouma <tim.bouma@dgc-cgn.org>; Jim Fenton <fenton@bluepopcorn.net>; Pengshuping (Peng Shuping) <pengshuping@huawei.com>
Subject: [EXT] Re: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS

You don't often get email from ekr@rtfm.com<mailto:ekr@rtfm.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

DISPATCH COMMENTS
I do not think that the IETF is the proper location for this
document. DIDs are not an IETF product and there's very little
IETF-specific in this WG. The appropriate place for this work is in
the W3C DID WG. I might feel differently if the W3C were to sendd us a
liaison statement asking us to pick up this work.


TECHNICAL COMMENTS

* did:web
I understand the design you have for did:X where X != Web, where
there is a signature from some key that is in the DNS. But
with did:web, it seems like instead the key is being used to
validate the TLS connection to the Web server? This seems
quite a bit weaker. Why not sign all th time?

* DNSSEC
I think this really needs to require DNSSEC all the time. I
have concerns about the deployability of DNSSEC, but I don't
see how this mechanism adds real safety without that.

S 3.3.
   The association to a domain stemming only from the did is
   unidirectional.  By leveraging URI records as outlined in
   [DID-in-the-DNS], we can create a bidirectional relationship,
   allowing a domain to publish their associated DID in the DNS.

   *_Ex: _did.example-issuer.ca<http://did.example-issuer.ca> IN URI 1 0 “did:web:example-issuer.ca<http://example-issuer.ca>”_*

   This relationship enhances security, as an entity would require
   control over both the DID and the domain’s DNS server to create this
   bidirectional association, reducing the likelihood of malicious
   impersonation.

I don't follow how this works. Once you are signing using a key
in the DNS, how does this new record help?


S 3.4.3.

   Hosting the public keys in TLSA records provides a stronger mechanism
   for the verifier to verify a did and its associated entity with, as
   they are able to perform a cryptographic challenge against the DID
   using the corresponding TLSA records, or against the domain using the
   corresponding [verificationMethod] in the DID document.  The
   accessibility of the public keys is also beneficial, as the verifier
   does not need to resolve the DID document to accesss its associated
   key material, enhancing interoperability.

I'm not sure what you are contrasting hosting the keys in DNS to. Can you
expand.




On Mon, Sep 9, 2024 at 10:44 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
Thanks Jacques!
We will add it to the list of topics to discuss.
Will you be attending in person or remote?

Regards,
 Rifaat


On Thu, Aug 29, 2024 at 8:57 AM Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org<mailto:40cira.ca@dmarc.ietf.org>> wrote:
Hi,

ACME recommended this should be sent here for considerations.

Looking forward to see what you think and where home is 😉.

Jacques


From: Jacques Latour <Jacques.Latour@cira.ca<mailto:Jacques.Latour@cira.ca>>
Sent: August 28, 2024 4:30 PM
To: acme@ietf.org<mailto:acme@ietf.org>
Cc: Jacques Latour <Jacques.Latour@cira.ca<mailto:Jacques.Latour@cira.ca>>; Jesse Carter <Jesse.Carter@cira.ca<mailto:Jesse.Carter@cira.ca>>; Mathieu Glaude <mathieu@northernblock.io<mailto:mathieu@northernblock.io>>; Tim Bouma <tim.bouma@dgc-cgn.org<mailto:tim.bouma@dgc-cgn.org>>
Subject: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS

Hi all!

First time asking for an internet draft adoption.


•         https://datatracker.ietf.org/doc/draft-carter-high-assurance-dids-with-dns/

As one of the authors of the internet draft titled "High Assurance DIDs with DNS" (draft-carter-high-assurance-dids-with-dns), I am writing to request the ACME Working Group to review and consider adopting this draft as part of your working group.

The draft proposes a method for integrating high assurance Decentralized Identifiers (DIDs) with the Domain Name System (DNS), aiming to enhance the security and reliability of DIDs by leveraging the established trust infrastructure of DNS. We believe that this integration aligns well with the goals and expertise of the ACME Working Group, particularly in the areas of secure and automated certificate management.
We would greatly appreciate the opportunity to present this draft to the working group and discuss its potential benefits and implementation details. Your feedback and guidance would be invaluable in refining the draft and ensuring its alignment with the broader objectives of the IETF.
Please let us know if there are any specific procedures or additional information required for this request. We are eager to collaborate with the ACME Working Group and contribute to the advancement of secure and reliable internet standards.
In terms of support and reference for this draft, we have the following references that may help justify our ask.


•         https://dhs-svip.github.io/requirements-for-decentralized-identity/TrustArchitecture/

•         DID Specification Registries (w3c.github.io)<https://w3c.github.io/did-spec-registries/#dnsvalidationdomain>

•         Trust DID Web - The did:tdw DID Method (bcgov.github.io)<https://bcgov.github.io/trustdidweb/>

Example DNS implementation:

$ dig _did.trustroot.ca<http://did.trustroot.ca> uri +dnssec +multi

_did.trustroot.ca<http://did.trustroot.ca>.      3518 IN URI 0 0 "did:web:trustroot.ca<http://trustroot.ca>"
_did.trustroot.ca<http://did.trustroot.ca>.      3518 IN RRSIG URI 13 3 3600 (
                                20240905000000 20240815000000 17999 trustroot.ca<http://trustroot.ca>.
                                4CJsquY7BEcA2YX1iWHIKzXx4lEvWa7k8JWNbp4zu3dp
                                KQXdwZ73geTKgzfNz9g5+HyckxTyNyz8LU8lA+G4lg== )

$ dig _did.trustroot.ca<http://did.trustroot.ca> tlsa +dnssec +multi

_did.trustroot.ca<http://did.trustroot.ca>.      3527 IN TLSA 3 1 1 (
                                CEEAD59AAE176DDD8889DF0B02083CB393D07655CBA9
                                D668EA334ABDBDB72A39 )
_did.trustroot.ca<http://did.trustroot.ca>.      3527 IN TLSA 3 1 0 (
                                302A300506032B6570032100C300A443F0427440AC90
                                BDA85B4F97896879564A7AB649B976FA7D15FEAFC225 )
_did.trustroot.ca<http://did.trustroot.ca>.      3527 IN RRSIG TLSA 13 3 3600 (
                                20240905000000 20240815000000 17999 trustroot.ca<http://trustroot.ca>.
                                z/E+jECtQzNi0zcBcrVa8P8UKiHx5SHcSEmN2vR6Oe4t
                                nfvjso/8/ZXo/IlWtoqgIYrCeJJ9NLFTu/q0cGwUIg== )

Thank you for your time and consideration.
Best regards,
Jacques, Jesse, Mathieu and Tim.




CLASSIFICATION:CONFIDENTIAL
_______________________________________________
Secdispatch mailing list -- secdispatch@ietf.org<mailto:secdispatch@ietf.org>
To unsubscribe send an email to secdispatch-leave@ietf.org<mailto:secdispatch-leave@ietf.org>
_______________________________________________
Secdispatch mailing list -- secdispatch@ietf.org<mailto:secdispatch@ietf.org>
To unsubscribe send an email to secdispatch-leave@ietf.org<mailto:secdispatch-leave@ietf.org>