Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth

Eric Rescorla <ekr@rtfm.com> Fri, 08 July 2022 23:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A73C15A751 for <secdispatch@ietfa.amsl.com>; Fri, 8 Jul 2022 16:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vb1JbfHdbPgJ for <secdispatch@ietfa.amsl.com>; Fri, 8 Jul 2022 16:26:30 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A6B6C15A74D for <secdispatch@ietf.org>; Fri, 8 Jul 2022 16:26:30 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id v185so319081ioe.11 for <secdispatch@ietf.org>; Fri, 08 Jul 2022 16:26:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Gy8eepnAk9JoMrmVOCBJO2F8eymTKarkt6uESgfZhFQ=; b=2xVc/HbCFc3CZUaiVnFBiSwh1SH4TqjinM5I1KRMQIXxieubRH5aug460Qv6PNAJmx 8xEGhneyQ/i3uRdgoVcsbEJoSFtDEz6d6SGuY+HNdlZJ/b0E4Kb2kf2U9LAsCP7RjGWW n0uvVPBquq6DqGOCXGMnyq1RQLiG1ARkVJEezlq2wLVOTMB3jLKn20oWJNEGEf9qecxX JRpI8IAG7cvoPE12ARRCcBnHWcqtM0xZ0CRZcHGp0j7De4LElgTD8ZTPeH4urmA5eDMP XxMLTBVxqWGOgImkW4/yzhedIAdcWokTTJFw32HejOXjntrrrKscyaLYMMbGSOoB2b9K ONTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Gy8eepnAk9JoMrmVOCBJO2F8eymTKarkt6uESgfZhFQ=; b=yyqzMxLbHw5OaadnrFhR2/e+0R4ETtxwvkLWpmOnyIAAYM7i/bRVv9ECpdzFyEPKIg cakvnSJdwnqZFsImUkPhLo1fOtmcfmCdzuWpujPvFi5Jde0BZa3qB8TuMcNerOwgN7Zl 4R4E3ntPt2bdSfWpvUya4bG4Rw4je21cdkZmGL44qbupsjttWYrIB/PTPaR4PJ5+J5tg 66+/jVOBRZ2BgyWr3F7yjNNnp4DMd6UWOLDdH5jfjEyhnIPliNBozlaXrZtvfITi7RU+ 1o6MWFoH/y4EYP6k8QtYnLh467lCGJzjVjyUKqIojsMvRQVKpZvCht+u19n48BzEJleJ XJNQ==
X-Gm-Message-State: AJIora8+FfjonPrSC+Q0x2DAIcDDMyzwGDwlmb5iPr0qrJaHN+FX5gLX p+uS+LsJTh6M66g2Ryw9NZ9Y1gWQJCqQUmiiAdPLFl3y6gc=
X-Google-Smtp-Source: AGRyM1vsAuzxriJZBFk5YLDYJv4PcWI60WG3Ge1gidQF9e6qoIWt2etDPvXvwlBbr9w6LBsDosAYhgDei/UDCMn4ITU=
X-Received: by 2002:a6b:c941:0:b0:672:734f:d05f with SMTP id z62-20020a6bc941000000b00672734fd05fmr3082070iof.87.1657322789867; Fri, 08 Jul 2022 16:26:29 -0700 (PDT)
MIME-Version: 1.0
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
In-Reply-To: <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 08 Jul 2022 16:25:53 -0700
Message-ID: <CABcZeBNjg7eHVqszxiu8ZivJ3H26toLJqVTmbzCETcc4pNhQUg@mail.gmail.com>
To: Stefan Halen <stefan.halen@internetstiftelsen.se>
Cc: "secdispatch@ietf.org" <secdispatch@ietf.org>, "secdispatch-chairs@ietf.org" <secdispatch-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b406f05e3538810"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/SSUHrsDP2TD9P-Cgvy6YZwNx0ko>
Subject: Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 23:26:32 -0000

Thanks for your response. I would advise putting these points in the
specification.

-Ekr


On Fri, Jul 8, 2022 at 8:01 AM Stefan Halen <
stefan.halen@internetstiftelsen.se> wrote:

>  > But as I understand this design, you in fact have a PKI, it's
>  > just that it's carried in a single JWS-signed metadata object
>  > rather than in X.509 certificates. This seems less flexible,
>  > so it's not clear to me what the advantage of this design
>  > is.
>
> The metadata is also used for discovery. The client normally select a
> server based on metadata claims (e.g., organization, tags). The client
> connects to the server's base_uri, also found in metadata.
>
> The federation operator must keep track of the members and which
> combinations of tags and peer type each member may publish.
>
> To enable self-signed certificates, there is the possibility of
> publishing issuers.
>
> Issuers are for reverse proxys that do not support optional_no_ca. Pin
> validation is performed by the application
>
>  > This needs considerably more detail about how it is used
>  > in practice. Specifically, it's not clear to me what
>  > the reference identity is that I am supposed to compare
>  > the pins to. I.e., if I think I am connecting to a given
>  > domain name, which is the common practice, how do I look
>  > that up in the metadata?
>
> In this federation, clients will only connect to services with which
> they have a business relationship (i.e, discovery by organization and
> tags).
>
>
> Thank you for the input!
>
> Regards
> Stefan
>