Re: [Secdispatch] [EXTERNAL] Re: Requesting agenda time for draft-halen-fed-tls-auth
Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 12 July 2022 22:32 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 342FEC157B52; Tue, 12 Jul 2022 15:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMHO61KG8iha; Tue, 12 Jul 2022 15:32:51 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C73FC14F74C; Tue, 12 Jul 2022 15:32:50 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26CHILZY001873; Tue, 12 Jul 2022 17:32:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=FZJnnPOso+MHzoiiCLC2v54zKSvjIS8kcSORGrW5CdM=; b=Pc1/JJjeiPoACE+Z25cBnQ9KLimSYt0x6zH9pdGop7OET9qYJLeyCNx9t2PrOROD1OzT sq6wkk9P1etBamDIC6PIiTSgOnGegQv+6MASd74ONOZoqwyEm4WL2VzzPAzc7Aoir21M Rkjdu4ksreKZ2/aIW/ebcArYpmAnbVA2ICQNwCzo35hX7BqSBHgRmesruIHdn1wuix5I tHCI5ByxGDz8kv4KAar8z6szblfimg8XBq/GcR3Bh+4TWAnfYy8pFHNwvEktYiRzStLm 830ifEfUAfyvSQY2HYl7JnEKpHYdHkV5GWZgnToeG1/wxe0Wt6v5yESe+zucM5io0oO2 7Q==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3h76c3k234-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Jul 2022 17:32:48 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=M8bSDtehHv84THn1B5Yz3P7G2c90jEEdwgEQGlWBsu4m9lN+BaSj1s8TdgHsqOhBqhW7Run2p1LncCv0Ma9Y9RqpSHC4vHNg5tAuBkbYLhHS8HSkTK8Y2yfhKkPRkGzGLwll3vauavZTqDa7ajjdx6PP3BpyDlXrfQRVa8sxItyETHIFDB7uhgHZ8G1PmTcKyUqY1kq10WICqdgEL3b5q8Gvbax87h/R48DI+hIm5vpKMsVUCRsqVbI6s0beTjPAjARSX6Nur0EiwmFWjYnvjTvIiwVCYbx6ZEFhKJczaM0UqaJ2QHSMis3NQFOxcvne9vpXobrmse6smCuQ/TihvA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FZJnnPOso+MHzoiiCLC2v54zKSvjIS8kcSORGrW5CdM=; b=n8Cp8D+XVrCpOLfsDWJxSyyzQnu36V/kaJwFzIWHoqFWFkURoRa8meL4PatZH8D/DqkNLis2e2MFgFRnIV7tAPzbUhk30Wv9SIakRTDfChfSHGwZ5XBMvlZ9KVs/tQ2tQnDd7jDO0BgTGvAec/lw7gE0/3gaMPy0vvbYQ4w1DQfnR6O1yLVxP0GEBeyavTlZ5895bnclHLl8Z63P0r+lb/vhbP3nW0a1/fdz0NFt7Z42Vodl7Zmq0ys3z2viYaQmvZHkkWijrvOJpkb4yGT0ktmLH6xWqSn9DyI/4lMrKJCDupiS1r4e3eW9M4eQ14Q7AEpxmluLQnbE+0J7tRE61A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BL0PR11MB3314.namprd11.prod.outlook.com (2603:10b6:208:6d::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.15; Tue, 12 Jul 2022 22:32:46 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bd5e:507c:d5ed:e37d]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bd5e:507c:d5ed:e37d%6]) with mapi id 15.20.5417.026; Tue, 12 Jul 2022 22:32:46 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
Thread-Index: AQHYktu0thiECurbGkmMNvcnYZd3YK17R/8AgAACP9A=
Date: Tue, 12 Jul 2022 22:32:46 +0000
Message-ID: <CH0PR11MB57393C7F487800C2BC6CC0C89F869@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se> <758931.1657661536@dooku>
In-Reply-To: <758931.1657661536@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b612533b-fbac-4673-6c3e-08da64567186
x-ms-traffictypediagnostic: BL0PR11MB3314:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xZYZuJDr1qyBieRTWGtiJ23tGjSZeEpR4yoFCrup/T3cIo7OqrvS/UTfoSuVcT7kpNyUz5n1fNb91naB02Nf8XBs0Sr+WyLglBormwk1DMaLxQaqWM4OabUABQxG4wDMONezSQODQ4d41L4GukM5ZExugfy0fKbzmLFGcJLWE2t/1E5+VTlJdyAPmKD0bw+gyDloYYR65KVo18JZHEjvx4/d7g7Fc/X25GhCsBxGURSmTPRAlj6u7/pjm2OL/PMIv3gqMzbKOPMU9RTKvqgzbA977U1ezS/SRshVtBY7b2YGBMtjq04+Nio6PblTiylqsODUpdsX9RIzVe/GJuiVkfZSQYXYQb9TomLESg1+BX8Wy0YpddF1XnjO/gbmAVqx7gLOQAWHgzGlQ2NHwRCu6v22Vu8n9TrbE38+bQxiQfTUDApuNSso9LjnTt35Dr0KkG41VORBNMSUhDSeABWAzD2LM7GBW+aD8vgMuyX1UPFITNk7CTe2x7LO+8BYlmC4o8Ge/iv0XjnxDsT+yRGiMWipM4FNF/tDMVRsQnWKxXReOBqAWHIiwcxjsHoaaQebQmD87xcgaG8iP8ADSg/Zy4rN7T+EplOi/oMjAAGJLg/NPczdtiuWgub6nzcVrBbG3gN+POJcgHv2ObW5ivbQGVKGqU2Kcm9Cfda/maAi6uXzkZk0assovobQyiMbKBXsMxPY0L/IMYB6F9AMw0PPvuR1jU5di4Y9ni/wiK5Lq5v34STxc7VVGw85ysQRC53hLqr+Q436VRjxLnyrJs/Di6h92CBWSfBhLSlASokykTUFnO5bKFYIe3f4KlI2sATMqEMFm640nD+6+s2HZJKZFA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(376002)(346002)(136003)(39850400004)(366004)(396003)(5660300002)(316002)(110136005)(6506007)(478600001)(76116006)(7696005)(186003)(9686003)(41300700001)(55016003)(966005)(53546011)(26005)(2906002)(83380400001)(86362001)(66574015)(66946007)(4326008)(122000001)(71200400001)(66556008)(52536014)(66476007)(38100700002)(66446008)(8936002)(33656002)(64756008)(38070700005)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DlE6yd0WjSfmsTLBcWGV5N7P/ZUExt9S/lTANir9E4UcbbIINzSRGyWxYWxiL45z8U/sZZSNvck9BBUt57wwU97TQ1+Js1K59dxPplqswHLkLhKQXQiNujqAnK6VlMkXXq1OjYsDnqnekO1t8aetVeeAtVXjJrbbtbdzurlzInjUbAZ97nWc+JrwDATUAvmarhvojrk3YvmUILgrKljXM4poH9sziy+5ba2lIdz3ncMBHu0HPIY4CluJOmG4qcXvuWdMPU8qLloRjQMPsNPENFdkiEh70R/r8h6xKPjcKDf96Ic4jRx6eY3reD8ObPioKHKJFIs6VK8tL65mqZzS9be7LdKaGWWVyIA2/+yPiErJAB9K/P1WDTq3qln4lVVFJDV7fdAsd/21twuw6DbC8/ldlfszy6X8jDogzURgilnQGuNXgf5NXXdl59G2lY+5S9b6q6i8aBldVc1D53y5/27ECKdNTz4pQ1D7pnhQlAkJhFrbyRbqMqEjv+dVI+mOrju/5icbjv+ITDWoWx+cTtv5ZcBvseNvuX5WQBc7R1DYlrXa3MfJUEjz7bH+dg1d1BnjMf07un93iDviloLBx2HAbVfcyRjUf4EZbE982zGSB3zoq9j0UFW58RvV8Rr0oNzsOMezsTkjtSPDIxtWEWwY0HkvmbVU53pwcs9kAlvL/kXgJg0tmBX62tWvHflev/dYXzzjvIXzfBx9qZtiXBtTf/a8av8VN7/WBKAye14iwfOtPge71dWFhwN+c9j6D3IgbCPaS6EqSY17fk5rF3++1lHi2PMmabe/2H/VjBLintyYuoKyjlyhlmbGimAZVwIAMqa/uye6w00ptS67oXPM4maalrGVmfUJj5D4O0GppM1v/qmZmesrumxQF2qzjhMZhXsOu7NY/42Wuv1Dvv1LTuky8Ml+5ESs8stI9tTx5OTDTVOO/OOYl3a+NsFEgXDUH50467BvfPZDy9+z7vJ4XZZrWFaFKwFXtyfYsNkqcbPgWVjHJii1nFZd/t0mlaZ2n0QsUpUHSACEU4vZD7c89EzEDRWDFD+U4Ep4xOt04mYhkbZZwXAJcyZeZ0h/380h3yeL4q2kxkoMB5ciKdFD3H5ZLQIZSnr+QSIhhaOOccCzZU0l9ZVFNOxOkUn3xz+F2vmP9OiLHplUIHV+pdnVyo60NcOZbB6LYAuTVNAg47BF1joxb2P/K782a69B9E6pMT8clrI4KdOXr2bpT9VTyyEhUH6vmI+XQfHhd4cMTFLRmaSxjq4jVDxHMxG2W37uCssuquTn5sEq4TR3t+lLvcXlknon520ZmZonRWZHRivHaFYmiQT2xIJ70ehR6utz08yhhZbdD+x59Hk/Nr19ajuihjGGiCIyeuiJsKcwKKoUdohyHzLuENMSSUJx+SrNZ6XYtB4+aseDC7vDg9IcVEN2SxqJayCJ3FaUk6Y4rBdbHRaIny9OGqkWwEzo4fEObXcsr+owqkxPbgkswXt+FHSh5qpPCewi5bDWSM1ZdvM+AtEViS2crXf3Dw9GSipgAgqUJ5qtgSc6xdi6SBIRoNLJY+KtP6zDsKYA1KaTkZPwpVGOuDMoiRweYrud
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b612533b-fbac-4673-6c3e-08da64567186
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2022 22:32:46.0790 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7OKStdVo4LsfAxSquhrT61VArjmkHqTxw7tHnW6WEhfCw3BOWYgnlTDBCvr4s2RiSptoUqszPHdaF10bU8u8T/GRA3VqvKqXDNu29fy8X54=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3314
X-Proofpoint-GUID: 6Hr4dKtYVEUy1DDfh0lX4XGhCrjAwRkg
X-Proofpoint-ORIG-GUID: 6Hr4dKtYVEUy1DDfh0lX4XGhCrjAwRkg
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-12_12,2022-07-12_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1011 phishscore=0 suspectscore=0 impostorscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 bulkscore=0 malwarescore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207120091
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/-wSTSxsiORkvqUwaeGn9rzyU9rU>
Subject: Re: [Secdispatch] [EXTERNAL] Re: Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 22:32:56 -0000
The draft itself sounds like it's trying to solve the problem of meshing multiple PKIs into a single trust hierarchy, which you can already do within existing PKIX standards via cross-certs (with name constraints, pathlen constraints, etc) to the CA of each trust domain (either pairwise or via a central "bridge CA"). The email thread sounds like it's also trying to solve service discovery at the same time. It's doing this via a mashup of federated SAML and PKI. No doubt this is an interesting solution to real problems, but it's not clear to me that we benefit from making it into an Internet standard. Are you seeing multiple vendors with similar but not-quite-compatible implementations that are in need of standardization? About this point: > Issuers are for reverse proxys that do not support optional_no_ca. Pin > validation is performed by the application The HTTPbis WG has "draft-ietf-httpbis-client-cert-field" coming down the pipeline (formerly "draft-bdc-something-something-certificate") which should help shepherd reverse proxy vendors into better support for delegating client cert validation back to the application. To me, the option to make reverse proxies "dumber" in a standard way seems like a better solution than building a federated SAML layer on top in order to make reverse proxies "smarter". --- Mike Ounsworth -----Original Message----- From: Secdispatch <secdispatch-bounces@ietf.org> On Behalf Of Michael Richardson Sent: July 12, 2022 4:32 PM To: Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> Cc: secdispatch@ietf.org Subject: [EXTERNAL] Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> wrote: > The metadata is also used for discovery. The client normally select a > server based on metadata claims (e.g., organization, tags). The client > connects to the server's base_uri, also found in metadata. > The federation operator must keep track of the members and which > combinations of tags and peer type each member may publish. > To enable self-signed certificates, there is the possibility of > publishing issuers. Perhaps I'll understand the problem more after you revise the document, or maybe your slides will motivate things. I am generally enthusiastic about anything that pushes for more use of mutual TLS authentication! I understood part of the solution, but I completely did not understand what problem you are dealing with!!! > Issuers are for reverse proxys that do not support optional_no_ca. Pin > validation is performed by the application If I understood this comment, the issue is that are TLS terminating proxies that can only validate client TLS certificates from CAs that they have been configured with. They can not opportunistically use a certificate provided in the TLS setup to complete the TLS connection, and then allow an application framework behind them to indicate if the client certificate should have been accepted or not. I don't yet understand how your protocol solves this, but I think that RFC8995 could suffer from this constraint in the Registrar->MASA connection. https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/ tried to find a place to be adopted, and I think that had it gotten somewhere that it might have helped you. (Yes, there are issues of how to make this work with TLS 1.3 re-authentication) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
- [Secdispatch] Requesting agenda time for draft-ha… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Mike Ounsworth
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] Requesting agenda time for draf… Roman Danyliw