Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth

Stefan Halen <stefan.halen@internetstiftelsen.se> Fri, 08 July 2022 15:02 UTC

Return-Path: <stefan.halen@internetstiftelsen.se>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F00D2C159488 for <secdispatch@ietfa.amsl.com>; Fri, 8 Jul 2022 08:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.983
X-Spam-Level:
X-Spam-Status: No, score=-3.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se header.b=Vl5HVxmS; dkim=pass (1024-bit key) header.d=internetstiftelsenisverige.onmicrosoft.com header.b=KbYX4jTL
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KesU-i2sFaWL for <secdispatch@ietfa.amsl.com>; Fri, 8 Jul 2022 08:02:02 -0700 (PDT)
Received: from relay1.iis.se (relay1.iis.se [IPv6:2001:67c:124c:7317::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCA3AC159486 for <secdispatch@ietf.org>; Fri, 8 Jul 2022 08:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-transfer-encoding:content-id:content-type:in-reply-to: references:message-id:date:subject:cc:to:from:from; bh=5N7vs4gG2kQZolzwiKh2Sg84CwWdXdB7+ayECkoi83E=; b=Vl5HVxmSEIdJItABaygvjD7fgyYD2n0uUwmmg9QV2KtSCr68w6IMpT5k6XpUylwfz/cTuZ511FdNs L1su0XACAnFmFct/aDJTVUNdLfs+BsYGwi8NVR7OgzQRjtsYL9dexb0tI+uZoZhf5OTHD1+qR1J+1Q e2BvxdgVyy1wRtVw=
Received: from emea01-obe.outbound.protection.outlook.com (mail-swedencentralazlp17010005.outbound.protection.outlook.com [40.93.214.5]) by relay1.iis.se (Halon) with ESMTPS id e3da4acd-fece-11ec-a9bd-005056827d92; Fri, 08 Jul 2022 15:01:48 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l8hydR+u9LXCMB7TnawOgx3qv/i83vS3CuR8ctqgfa4amlMZMtBw4KdXMlDqpkl6XijkNeV40pwsHOIgt/iFkUv2iDMbOx48Vk3AyZpjMQD7yUVXT6YPGR7mTHDUuV7fyV+M68XOmcEcaMduZx7acGVdcBKsMjCLTyTY/JzyLsV68Z+XuUloGM5rnB8tfVrLg2uqRfVMDynQ8GFTXEtzdOqyC9dzkMttKpxdWFoiIsnpTbccGRWaDhET3/v9g76qoAAfhCzDk2koVqFwX8MzndkaReNljP5URKMtmfmPHd+Q3pXo42sO9RcxLiMmgLir57UCpTTT4kLWnZnnY41/MA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5N7vs4gG2kQZolzwiKh2Sg84CwWdXdB7+ayECkoi83E=; b=baDWW6IBDwIDRPqdZjyWUObigJvybEVv0Yvxe/QBP4Ur07s9XxqaX/gNZHUbOhYWAlqe6hX+JfTmJxrWzAZOLsCncIVGYd97hyCYHmcE2Vjq1WvMLlLfdodK7nnIy0z+hrZZ19kIKpweMvmm+W1h2vUsH0dbIMpJnWIWKzDD76ivSf2JSKVIwAbN+3oYfjVkW+Kw36yj4EwDaQrVjntzWPM+LOxGbevBbpylBaq8n2GWHK2b6+WtfgrzdkzF0NOZ/Fu67yI8qM/3fTDX6bCVqF7nVTxHiNBrJ/svphS+LGtmHFXY0vUf+LqUS0ZbF9VOgFrD6AAf+JC1vzLPD0kF4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsenisverige.onmicrosoft.com; s=selector1-internetstiftelsenisverige-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5N7vs4gG2kQZolzwiKh2Sg84CwWdXdB7+ayECkoi83E=; b=KbYX4jTL6R7JnHtPJ2zkJ5vYBDDcjdwx+B8RU3IAnc+2C0xywwfNkl5xWpxDS4HkCPPVAqBnwKPqzcE0RNNdpWdXnGa9u5eAprvMe3oeSGomi2sb444FNmxiFRf9pGgaPFEZx626382gsRdCwVMjrljTCOj+xm0EOa37BxXM3T0=
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:46::13) by MM0P280MB0085.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.15; Fri, 8 Jul 2022 15:01:25 +0000
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd]) by GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd%6]) with mapi id 15.20.5395.021; Fri, 8 Jul 2022 15:01:25 +0000
From: Stefan Halen <stefan.halen@internetstiftelsen.se>
To: Eric Rescorla <ekr@rtfm.com>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>, "secdispatch-chairs@ietf.org" <secdispatch-chairs@ietf.org>
Thread-Topic: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
Thread-Index: AQHYkTxJZh+3w1CapU6UncoT060w261zf7wAgAEU+4A=
Date: Fri, 08 Jul 2022 15:01:25 +0000
Message-ID: <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com>
In-Reply-To: <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d470ba9-d8b7-44eb-fda4-08da60f2bac3
x-ms-traffictypediagnostic: MM0P280MB0085:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yMeXNTXAAoFQalmrxqen2w4gn87Xqk3c7/pgQFZxCth4x/3941Tfb9ulbU+kREOX5aQs7oyIMEyi61DfVDdVZj67P1fH/bt6HHs4BB8OKNvHH8p43/44jFThZtbJWTQ9Y+GDKHhw99n74vink13252l8pp/yle83ojgdarSDwJkbYxIYiBaQhYMnslJ7eW670V/GYv9v7/kgebZOFH4PxDpj7l+paTeq0hnQYm9d+fZzS1DNiZbZglx4Q55ZZdWFqlfp1i7ees6QPUn4F8ZLgK8ZRjxL/W2p/AVpa6lWs92FN6U02yO/bBvbVs9QyVcx0FE0zU3rqiwSjBcSw6XUMoCrHatCYtMWQw7dHiO/RezJhY3Y/WedZBQpQ1tE7NKAp9vWRJMCPOeHOW5rq2I5AVU8l1pYVuU9WvwlckM+xoRSNOXTDrQKY3CovUpMH4wZ1iYqUHGecdq6L7/kkZOXqAqo9gDLUmHOWC6bvN3LS+rqFNtoGlRxcLLJIbugQ2kuheQD0ukche3VwtoOuCHJFVQ70GLfeGzaoHd4gWMsQP1G6165VzxO7NRhXztddnx1AfVMBt9+quSbmt1Z2KSS8Lr8QhtfaqV7BSxN7vZDyRYdjg+zPjHnECqEG+M8NuwHM4dQ/CLgn4kMGmdiW626pKtCkB8961Vd0I8aPXKKYcfq+V0jU1ZWeXERqCnsxPWsi5a9CWjsfG2NlDBo5fY4iEGddvuXSSPM3FCbF4tT88QyA6LVwAZOyuQoQADLIWsMWsde+W14dHgKfMEHubNmAM3oFvGPzPRN0Vkjep3Uhqd96Rhu44yeXbBKwUuartV3xLxC/aiQ6dtp3o4TucP9AgXOuxrjv/PdOJI8CEmsa9GEuVPlM6ZtwUOjA52B1frP
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(366004)(346002)(376002)(396003)(39840400004)(4326008)(86362001)(2906002)(316002)(31696002)(38100700002)(38070700005)(8676002)(66476007)(64756008)(66446008)(76116006)(66946007)(66556008)(54906003)(6916009)(122000001)(5660300002)(186003)(44832011)(2616005)(36756003)(6512007)(26005)(478600001)(6486002)(6506007)(8936002)(31686004)(41300700001)(71200400001)(45980500001)(43740500002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: t2bqHJmGphqpQU57msTBoGWszawko7Of1UEjRyOPmq/b4yAfZRclp9Vu0cG57w3m6Pna+lFG3pFs+/1P0Kp2PLqzoYyoCh+jfnglMa/qKewGlH+iVhbi4LOkT2kf5x+Jej7MwcDFDC+inqQAfSsjjgv8O8BmnnkL5NVDVQWl/3K/Hwf4R7u2pEB6zwNKv4KQ+SJlZG3eXm29A/CuOO8zhq74A+VU4DUx0vKIp2AI87ggkkRYRTY6otOPT9BUoakhHkGXEy4O+hX2V3WmWHEVIWTvCI4kJRueA62WqbKNfXcnor/k4gflieSW4OMZUPwqfJs7npB3NBku5qgpUF2PTNmsNJ7aUGIi5mDnoWAAJzQE2h8kwHCBqEeqKmJiOJY5vdQfLfVEnCxv1etZKW4smOpjvGY3zi437NA/w5CojBZtvxquqz1xsesmrAkmxsFm4DH0thlQGCvh57EynWXvO+uP4afDes+O7JtIsqRcNh+AOV2jXLPqh8yKwgr5+I2TExO3wQEos/ix8HOff6jpyr1uB2K61ImXaEEHvcskeqSUM+0ZplyWc0IEXyKzFxtWYCCmBP2nNpEYkGuzNmoXlsp7dIR0sEbYYPYsG7viWlBSmKbN1m7SVsV+PkrmVf+wl1ATdYGdVh4PEffjJyjchtDrmQ7B20HdmuzYhCPtD8rsUDhzq7fMje7efA7ILOg+B5aGG3fU2TbD+/iEwbw7pZd5avxQKTKjM+OyMuNGc7YFW2R6rCG+EgtykXC605oAYvhVnTIP2MG96pMsEHgBMbUf8c0k4YUsoOrrIilPzrGp9pQnUdN9wgGQJU+poNO3xIyT/9QXPqVhOfSYcE2OBMHh5i55Y9HSRns9/p5tGOfniG90YFEp5dLpir2qDVjjHjmgdv/Hew+MT0Fgvp/G1IXpYQ57870P2aU3Ja9dITm6DBwoFtyIv8OeNz/Krt9emCDHcW525aI7e/wHkPS7+8tJBZc06x9LIEQRyqTh1imkMlQoqr72SJ9Ycs0P0iKl+zEHPC9UuT3vC023rCDRYsO5/4DAEGqrRoevCkyCkpVtbCB02rcfBtExLN4W2x1vcDh8fPexlI+CB+t9kbe2fO/3FZqhVzE0hHwFQxQEfsy9FQoLGicdWS4A3KRsmvWnLpr2QRf9yvheBIsjWOjEtuEwjXbuX4y6SAyiAI5VEL2bfyIpW5fnEJYREyWvceB7Z3Pdmvv0x6X2Nos+Z2h06seybfcr+3ugRuZs7Ve0zV/1JqFwI0sDgSz1UYYlj2wNuiUdnleo0Pr43pod386aKV1LIzRyhG2UM91zRolUraSqA8KmuIM9IAeDCZVv5Us7fZxAXz+WWskCUzn2x4EHCNzM/guL0h2ZN54/wTMnSaqmm1prguoPNiWZK/HMF89gHKedOifLGGCknICEWIPfhBYDHXo2dShwcP7aF/0+3jHR2RKtvOq82+IbCVaJkuMUM96FIv+WLHfhU+V1FTcMF2G3PqOU5BDWRkLVIY/SU8FADVobIRD2ug+W2X4SlQ6a+KeGJ6p3C9WqHG24ioWrFeiGGm1o3/iXkHnaT6UE08wQtKhVf7c1Ru+k5S10ZqFybgg3YqMfS6/g4r6ixDBJTA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <886D67562DAF344FBDF5ADD5D6379371@SWEP280.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d470ba9-d8b7-44eb-fda4-08da60f2bac3
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2022 15:01:25.7480 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WQ1lO+9vYvj6Tspwe0zcdDoqmR83kSdw6/HiojAVF8iBpcSTONTKQxs/wpFH1VKSgZne1q1xmCaZYGHyIVp8WdgDzXOUVDaX/dIdi4Ex4botSs/AICHEt3oj5XUh410s
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0085
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/2SdtleFDgynkIAgS170E-g2XE_E>
Subject: Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 15:02:03 -0000

 > But as I understand this design, you in fact have a PKI, it's
 > just that it's carried in a single JWS-signed metadata object
 > rather than in X.509 certificates. This seems less flexible,
 > so it's not clear to me what the advantage of this design
 > is.

The metadata is also used for discovery. The client normally select a
server based on metadata claims (e.g., organization, tags). The client
connects to the server's base_uri, also found in metadata.

The federation operator must keep track of the members and which
combinations of tags and peer type each member may publish.

To enable self-signed certificates, there is the possibility of
publishing issuers.

Issuers are for reverse proxys that do not support optional_no_ca. Pin
validation is performed by the application

 > This needs considerably more detail about how it is used
 > in practice. Specifically, it's not clear to me what
 > the reference identity is that I am supposed to compare
 > the pins to. I.e., if I think I am connecting to a given
 > domain name, which is the common practice, how do I look
 > that up in the metadata?

In this federation, clients will only connect to services with which
they have a business relationship (i.e, discovery by organization and
tags).


Thank you for the input!

Regards
Stefan