Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
Shumon Huque <shuque@gmail.com> Wed, 18 November 2020 14:10 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3F53A0937; Wed, 18 Nov 2020 06:10:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExLVXaQ41S7F; Wed, 18 Nov 2020 06:10:07 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 810873A08EB; Wed, 18 Nov 2020 06:10:07 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id i19so2917406ejx.9; Wed, 18 Nov 2020 06:10:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I+lruvO1GHoYT49K1Vwn16xoJ9TtVkL1xFXefRx0j2M=; b=LgjaCpgVWY8EY5wvedBy5s42GbJXVyCERlfaxnDKT1ECMV50JFwP/CeObzBwNK4WsW 0J7Hr+YNo5yUoR9w5fGFWqPxKyO2XIYMa/tfpY+MElAWgfCvfLjQt4PWWYT9MBoY/YPB 981qZm1E1tt3h3U9F3NK0Xxptd2f99eJ+NORJEJ3rKNgZsEmd+YosFhsd1caSFHeJVIO 2XXhIkDZId70BCIPB4J40cZcplrEPf+jTRX3WHHKigaZyLsSdr8m2r0UqWjCikRYY/tQ 5MRYj6aa8zGq1YVYGsqu1Yqak999InMR/mfsBeBuKhXb2QJst6Oo6tQtYR04qfwpXcgK /3zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I+lruvO1GHoYT49K1Vwn16xoJ9TtVkL1xFXefRx0j2M=; b=ajDGe8mbftBXc6KDNx/z1n45IQSOHHOkyZCFPfbw+iSGVj05L0+bJqrNcZtkC3XWRW kxgi2SXMcTmMZJN4EBj7gHaL3GTrYzE2EA/zj+XibtAW715lBTVKgIv7FWjR4V+SxHEj NIIb3U6Pdldrd/ggZHzrvpVsJ7c3AnUP9nwkVxr5tJJqAm+pANxNiNGOjFgxlrmTvhTq RSMl3eAz8KLqTQ4B0st/SoPfZq3ii0AH0WNQEDTxJdNGSICK9Fxj0HH9jPoqx7EOkZ/w 3JNeaZ3NaE7EHnaWf8OPvUl7TIHLFrdnQgKjNcoTah1aVpvflrdeiX3AOjB5Orj0mO2D S9qg==
X-Gm-Message-State: AOAM531JoCAiiA8WhZffdbSzcVK7PK1VOlFvqL+Q+wun9W0sxkWs6foN RKUPKutN5i1p5Hg6iGH7PrFiMvrG5M5Z9ps20pc=
X-Google-Smtp-Source: ABdhPJxq/cvCkyHOYk+haHhJaTBrTZ71nGOLsnalGoC0Y+zWcRF1XLtZ73AjN+8ohPB5geAeLWd/cVyNbZ6xWlg9o0Q=
X-Received: by 2002:a17:906:178b:: with SMTP id t11mr15714368eje.152.1605708605993; Wed, 18 Nov 2020 06:10:05 -0800 (PST)
MIME-Version: 1.0
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com> <dedb5fb7-f0bc-7e35-4f90-fddc2d093873@ericsson.com>
In-Reply-To: <dedb5fb7-f0bc-7e35-4f90-fddc2d093873@ericsson.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 18 Nov 2020 09:09:54 -0500
Message-ID: <CAHPuVdVyfiLa0om8=-WZ+8yutTOYLLre1fKkSPjAdvhnffQhag@mail.gmail.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000012b76e05b4622b3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/a7bUk077341QAoV4Yk2hYiFaans>
Subject: Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 14:10:10 -0000
On Wed, Nov 18, 2020 at 7:58 AM Mohit Sethi M <mohit.m.sethi= 40ericsson.com@dmarc.ietf.org> wrote: > Hi Ash and Shumon, > > My understanding is that your solution is applicable to any scenario that > uses client certificates. Obviously IoT might be one application area for > this, but there are many other uses of client authentication with > certificates. > Mohit - yes, there are certainly other application use cases and the protocol is general purpose. Some SMTP transport security folks are interested in this to give one example. I don't have any strong opinions about whether this is useful or not. But > it might be good to have a separate focused DANE working group for these > drafts if there is strong demand for such a solution. Your presentation > also highlighted your intention of defining new RRtype and/or expanding the > scope of TLSA. These things (along with DANE light etc.) would require the > input of DNS and TLS folks (in addition to the IoT requirements). > Yup, we will certainly need to get their input on this topic. I think I saw a couple folks in the chat suggest resurrecting the DANE wg, which I'm open to, but there was pushback too (I think more detailed discussion on list was deemed necessary first). Also, I didn't understand how would server authentication work? I probably > did not listen to your presentation carefully enough but I suppose you > cannot use DANE for server authentication in scenarios where the client > device does not yet have Internet connectivity. So how would server > authentication work in EAP-TLS/SIM card/IoT bootstrapping scenarios you > discussed? > Yeah, the EAP-TLS case is trickier for DANE server authentication. There are possible mechanisms though - the TLS DNSSEC chain extension (which failed to gain consensus in the TLS WG a while back, but which will probably be published through the IETF's independent stream) would provide a way for the TLS server to deliver its DNS authentication chain inside the TLS handshake, obviating the need for the client to perform DNS queries prior to Internet connectivity. There are probably other solutions that could be devised. Shumon.
- [Secdispatch] DANE IOT proposed outcome Eliot Lear
- Re: [Secdispatch] DANE IOT proposed outcome Panwei (William)
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Eliot Lear
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Panwei (William)
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Toerless Eckert
- Re: [Secdispatch] DANE IOT proposed outcome Shumon Huque
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Panwei (William)
- Re: [Secdispatch] DANE IOT proposed outcome Shumon Huque
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Shumon Huque
- Re: [Secdispatch] DANE IOT proposed outcome Panwei (William)
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Ash Wilson
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Panwei (William)
- Re: [Secdispatch] DANE IOT proposed outcome Michael Richardson
- [Secdispatch] Confusing terminology was Re: [Iot-… Mohit Sethi M
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Mohit Sethi M
- Re: [Secdispatch] Confusing terminology was Re: [… Eliot Lear
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Shumon Huque
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Mohit Sethi M
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Shumon Huque
- Re: [Secdispatch] [Iot-onboarding] DANE IOT propo… Ash Wilson
- Re: [Secdispatch] DANE IOT proposed outcome Michael Richardson