[Secdispatch] Re: [EXT] Re: Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
Jesse Carter <Jesse.Carter@cira.ca> Mon, 04 November 2024 14:46 UTC
Return-Path: <Jesse.Carter@cira.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1B7EC1D5C69 for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 06:46:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cira.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p7gBILgChT0a for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 06:46:51 -0800 (PST)
Received: from CAN01-YQB-obe.outbound.protection.outlook.com (mail-yqbcan01on2091.outbound.protection.outlook.com [40.107.116.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBA2C1D4CD3 for <secdispatch@ietf.org>; Mon, 4 Nov 2024 06:46:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HioCZYxN1mz8fS96W1FyiB0C0UmtxEJnkbHrRsjcfTkLnHSuiE3vmq0BQAtR/jMehkAOvV4mqJ8sIkIyFjO92JLUc9T6/56U0xgzVSUBnhA+bIYfFah7G5V5s00yTYJgVPp3Hx82xnv7rhM+syhbgu8i5d6h+x8PeaVkAcZXsqxDvVPCx/sTBfpspO6CWd0zmNgxI/gcIA8HmiL2uUOqDxjHrWkT+6A1KQkIsxPGmzZuCigbbxLJyNkozTC8LwWYlNZsbBuGeVTdOuc9anCR5FSn5Dw6X31c4GL68sTKtGjKgwMChxtqGXbYtmp3ST9+qRWNqX9X5BaXwbYlSOXDig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eTFgZex/WG7bTNh+a4StxDxmHU0nvBhQjs58Vp4fVHY=; b=mustChktB1AX8scOG+4okc3IvPaRufha1d0UNyOYTcF/tzxa7Zp1hh6nRBW3hWpXqLThtKKLwnVgz4233OU+957CMP+Gj8xcW5KkISv/8hqMaLrEQHx9bZP2hyLZuEEuqId9BoQHFdxNgG3Ev+BZpB/+jhOsuG7BRqN3QLh1CnY2cbcxcpwI2az0vQtjPBwe4HEfAq0Ef/VlTgjSjn0SJ3XIkZKe3dLfC9XeLyJtvPK8sNnXgvwiGnd38CfDHmbAaLEz3nzvcAgCUGWxIjpUfu2CAwl9vtlqTjxfnTL9gbM/LIEJp3oexcWEwHmquXj2oVCBAxtmPBk/fKJnn/Hc9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cira.ca; dmarc=pass action=none header.from=cira.ca; dkim=pass header.d=cira.ca; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cira.ca; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eTFgZex/WG7bTNh+a4StxDxmHU0nvBhQjs58Vp4fVHY=; b=e6m5XpnVh3o88/OYycaYBun68IyNrYO1X4YHbjQUWxblyIuk618O6L/S4EaPhidY3Vch2rLw97Vm9dYD9Br2DKO7Zlfms9FFVAETI1HZ10Y/9mCslAQP+jcBRJaAJPv1y7WS63JIIuK35WgYaJ0UEsmaMscOciRQiSlaAnEqrf3o8nVjEtuLP8kGJhu4/SRy36njAg3DyiYCK/ym7HlTp0AZFSX3zKQKt0DDy/H7mjiPIOIqSv9uopIijgwovTctwBVanO/LEnUCjkBnaVzBrmG0HEsB57XDbo9WwhN76u6cUUISljzl4jvPEN9yt1t3/5qVIUziUy4tgJxG6rQPNg==
Received: from YT2P288MB0314.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:f2::7) by YQBP288MB0034.CANP288.PROD.OUTLOOK.COM (2603:10b6:c01:71::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8114.31; Mon, 4 Nov 2024 14:46:48 +0000
Received: from YT2P288MB0314.CANP288.PROD.OUTLOOK.COM ([fe80::546a:b787:59f9:9bf8]) by YT2P288MB0314.CANP288.PROD.OUTLOOK.COM ([fe80::546a:b787:59f9:9bf8%5]) with mapi id 15.20.8114.031; Mon, 4 Nov 2024 14:46:48 +0000
From: Jesse Carter <Jesse.Carter@cira.ca>
To: Eric Rescorla <ekr@rtfm.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Thread-Topic: [EXT] Re: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
Thread-Index: Adr5hgtZRoPehWV2Tdi/+m8w5NOlRQAjEiVgAjNemQAK1ioQAAAjdjkQ
Date: Mon, 04 Nov 2024 14:46:48 +0000
Message-ID: <YT2P288MB0314ADA2979687E083A3CCA998512@YT2P288MB0314.CANP288.PROD.OUTLOOK.COM>
References: <YT2P288MB0252E6E515F3E9A5833C32488A952@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <YT2P288MB02523F41AE4C3EBCDE33D38C8A962@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <CADNypP9-Zk3B_hwvpk9z2mQhfxPbgp0g_BFDgj09B=aBOZ_egw@mail.gmail.com> <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
In-Reply-To: <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ActionId=d7149bfb-b0c1-4a15-a24f-595d266dc79d;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_ContentBits=0;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Enabled=true;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Method=Standard;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_Name=Confidential;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SetDate=2024-11-04T14:32:00Z;MSIP_Label_ee0e450f-d653-41c9-9b6c-2295bb19e3b2_SiteId=f349b30c-7550-4f17-88da-269417631f54;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cira.ca;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: YT2P288MB0314:EE_|YQBP288MB0034:EE_
x-ms-office365-filtering-correlation-id: 468bc86a-7b65-4d37-67f6-08dcfcdf82d0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|4022899009|8096899003|38070700018;
x-microsoft-antispam-message-info: 8wxn2Nodvw7K7GFy4c1MNQv2YwZafo/XX4YzaqDk+FWHFgnBBiREIfzFo2co+W4ITRvDVjQCnrfEbR2wPy3NwYXfO8R8G2XBy0lKc0MFvRPgLgkMfWfA/y8NTRcq5sZsxrpZO/FBMjvwQJFKsR1f5MFazGp+9BmG3rKzxGUJDhvemKhE5+kxD4XsW0dhB0xSN3WYIHgHKDnwQfn5YXpc2vMOgL93kmdusM6vKO97cXfYevB+17WD7FCmLW9A1BMff8r/fuo7TQMiagYbOByM052d+EhAq9m16Zh+X6FqGEBNAkLBu8EFoKOx6SkVWvCEDAFDn+GXQtjD9QIjIEbJPYYv7Y8BDgQEh+74Z3u2lA+dwAdUwe48oBcdy92pK1bu1n6wwaVDNEoEASdFoWK4TpLvEI36dsNd37nLDZCKS4jBvbGKaFGjbaaRbcd/6cprXYdRxWYoPriEB4MOBRMeW/nyOEZCg/OLZ2O6g7l210DhP6Gydxp6D1JobkQQt6iGiBw+6Nm1Zkt7YTeALsx1ZWH0hD/9VJIZi2h70B6ENvgNa0SPOquxVou7V6Ro+3hwDQRP6eH6Fan+b0M/O0OOaHSStZKwN7XX35OPbzj4v9YGS+FasuADQZM2W3yr0unTPIOfM6o3c2XPAqzQcQQWKMQarUfgecTpAcGg3R+7tKEE+O1QrQuPJqh+6q2XU6oYboP7lmuBLT0hAVyapTJ8xUDoP9LPLnpHi9zqiK/WN4iJz4xp1/cpoVjBUcLf4CSyFTYhee/WMQd9HKTgrmZzSz49NldWaNiTsP55LjXF2WwxcaSe1Em+4o+9wlUXRACBt9VUu8v2HgJmnfbqnRTzmL4LYeuWGLZ95qwlPDPv9RZ9g1kPSf9OG5vdL2zUj3I8LMO6nz/1xs0yB0vz1ZZV22eFGTiVZzAFjlAoXCJY+Gg+YwitzDgnoN+yYX4u8xc7hvxN23l/fh4HU62bRcOx4JXwK1dahgBLXGxZVvEnGY3My7XrTpa2XcsugY43kYTemDk+BJHOfD7e+YehIXKeiGpShszBAaYmfz3mSZ1fI4g3Zk6OYfyjd865/FoJV+rEpSViMUMf82vY6rJtTCvhsxgHJg3zf7Ai8l1uGaKdR4pUX4Mc3rGaPqAr1r/MlEvFqbseXQocbCZ0iiiu0OWPLvmUATpMeyf91fCYSGpAgaaDT6Qu7f/8Vfx4e6vNR2/rA78hzXnU+4bKvaBfcHYwgqwrK6DLBzvxbaxcM+iL+bZ11beb4H109bYfl5k6R0dmt4kBp8MZ9W9T4S9Wthg0AYnErGcyXieOOOp4adAzbwSzRYPUyOWmdwIE8+uzXz9V
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2P288MB0314.CANP288.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(4022899009)(8096899003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: sg/8wy33wKosE0LsM+wy4zZItCtCXXsRgqfSuzV9lyGaQZMDKHz7+wzfY0zibQnZUyDtF8kFkwTheR3EhgWLQzOOdk8q6QKaafGASW9PzWNXYBAa3Yeqedj+bpcCC0RXU5AjxLWmt/PnDoLlknNqDw/KJvRjEFxOBsIvLlH4v53f5Ol0AjkIYfFcLOW4NSR1ZtGWyjc8nHNEXhZn7La90FeZ8HTeii62+PSZSC5A6/usFjtolxDCaJcrb1vPq4hS6Snwwbredz52Pr9tVJ9IAQ5+CbujgUkymI3T44bqSHo8wmeGpShA3j8bh+J/OBwcarHODjI/tUInGcFmjrXplBelkJms55rhM4o7ZFu6w1mvejWLkezAeCFrvhKDzSeN5g5AQeLHVQrtzEYi9WBwxz03cd582+TTH0t6AnE5Q24WYOD/y8Wml4LXJcG3IZhaOKQd7XYuaDlNxdntU2eXdRCqJSc3m1W2ppltDvecXBcMzbyFfiEK6+qJu9nV5gli260tTl3tMyGqJkC8oXNFpQpG6sGmhaepO+RHbx2WIffP9G4wdi46Ow0Dj9dkQYL7yHJCvLDg5VxlndFENVc/HArRcOcDu7bWND7+OZpPMX8/DvDKtaYKCfY2IrZTnoeRzdcLmIQAXGUh1uyhDO67XyeTmF+6bauZjY5jzjg/OCj9VsK0yX4XZVCADKxgWc4Tk7Zk9y424D1P3iEdMDO+8FypRbu9PxsoRxR0MZyIYI6Uqndt/jDnOZ87Hc3OP/4sv2GR5p4U42VnNc1AZc/rFBY7Y6FuDTGUPBZp7kT3+kjyKZfVYgP0m+fq7mabR2Vsty0lFEZdzeGqw4jjLpXHN46ZGUZJ56b8MwiwdOuF+89tibNXIyAeRCrDGxtf9j0Qt/OXI+AhzGanEpAbGQpN34Y77yy0oMjEeuokFffE/D6R8fziV9WiQ3WIftcJ781IXyUd5FFsR8bolDvXysv2Ttf/LSM8o/bwHl4xnClWZER3LIBdaK0a8055gFXGazuwLE7aRJmnVI9lMO+/K4MIwSbnSxafxvO/P43g+NpyuJpubxQ8BEdDqjBPojtEkKLqBBlo8OpELUGj4F3hNKU+Fe02l1kZUfLsYpKoi3dROfmPAvgxdkrLCIUirlGIKBbX/taShIvZLZOAfKEtDuAKY3etvyj0nI5YmTEDU3CB8IN/4N7Xf3FjKMq3eeoqJJX91jdFLQxvcnjerOZng/HdolhijzbEO6XTdM7udrqlbm84fLP9SAONdzSxBnEVLUyvSyNKBJKmaBzu2T0bG7Bt6HeuRfn1jzQVw6TLaSc+jb5iKOg+bxuchaWeQD7rxChYUb24kXxVu2/lgXyR5a9CLFqCljM9HYdA3RTzlIYUEHDN1H4s2+wBil20iSxRK1cgut07e9WLTHoReutEt6WGANzkUSNjty1edUWtqd0R67DpcSgudNM3opxbwBzgm1XmsvHHPYV+/L3BBxCjN7jfoIiOVxqisOE/y6XP0cytURf7gaOHoZ89pQ24TOs13Vyv6ZIStLBfaN4HUBeBWgwSAAyevdJrQDEoqwo8VBPk9W5m+qKm13xWodyH8Juttya9
Content-Type: multipart/alternative; boundary="_000_YT2P288MB0314ADA2979687E083A3CCA998512YT2P288MB0314CANP_"
MIME-Version: 1.0
X-OriginatorOrg: cira.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT2P288MB0314.CANP288.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 468bc86a-7b65-4d37-67f6-08dcfcdf82d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2024 14:46:48.2317 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f349b30c-7550-4f17-88da-269417631f54
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: p8It45vBqe8YE7aWewKOFQ2BXZCfymY26Pp74QSiFW+p1x9DuqIRURSmVHFABrLlx6mW68NbwaELXfQFB3yDcQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBP288MB0034
Message-ID-Hash: CUSUGZNTIOAIAOAIDQYDME6XXOX656DE
X-Message-ID-Hash: CUSUGZNTIOAIAOAIDQYDME6XXOX656DE
X-MailFrom: Jesse.Carter@cira.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Mathieu Glaude <mathieu@northernblock.io>, Tim Bouma <tim.bouma@dgc-cgn.org>, Jim Fenton <fenton@bluepopcorn.net>, "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Secdispatch] Re: [EXT] Re: Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jGIB6v70R9DvXM6W0exk_HedhLg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>
Hey Eric, I appreciate your feedback. Hopefully I can provide some clarification on the points below. We always sign the did documents, regardless of the did method. So did:web receives the same dataIntegrityProof treatment that any other did method does. The URI record is used to indicate which dids are associated with that domain, by the domain. This prevents somebody from creating a DID and pointing it to a domain, and then requiring a resolver or someone interacting with the did to guess whether this association is being repudiated or not. The contrast in the last statement is in comparison to DIDs without the added assurance of our DNS verification process. If a DID is claiming to be related to a given domain, but there is no way for the domain to repudiate or validate that association, that association cannot be taken seriously. This provides a way to affirm that association, while also duplicating the important information (PKI and ID) within the DID document across 2 completely separate sets of infrastructure, providing increased assurance that the information you are interacting with from that DID is what is intended, and indicating tampering or a potential issue when it doesn’t line up. CLASSIFICATION:CONFIDENTIAL From: Eric Rescorla <ekr@rtfm.com> Sent: Sunday, November 3, 2024 4:37 PM To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Cc: Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>; secdispatch@ietf.org; Jesse Carter <Jesse.Carter@cira.ca>; Mathieu Glaude <mathieu@northernblock.io>; Tim Bouma <tim.bouma@dgc-cgn.org>; Jim Fenton <fenton@bluepopcorn.net>; Pengshuping (Peng Shuping) <pengshuping@huawei.com> Subject: [EXT] Re: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS You don't often get email from ekr@rtfm.com<mailto:ekr@rtfm.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> DISPATCH COMMENTS I do not think that the IETF is the proper location for this document. DIDs are not an IETF product and there's very little IETF-specific in this WG. The appropriate place for this work is in the W3C DID WG. I might feel differently if the W3C were to sendd us a liaison statement asking us to pick up this work. TECHNICAL COMMENTS * did:web I understand the design you have for did:X where X != Web, where there is a signature from some key that is in the DNS. But with did:web, it seems like instead the key is being used to validate the TLS connection to the Web server? This seems quite a bit weaker. Why not sign all th time? * DNSSEC I think this really needs to require DNSSEC all the time. I have concerns about the deployability of DNSSEC, but I don't see how this mechanism adds real safety without that. S 3.3. The association to a domain stemming only from the did is unidirectional. By leveraging URI records as outlined in [DID-in-the-DNS], we can create a bidirectional relationship, allowing a domain to publish their associated DID in the DNS. *_Ex: _did.example-issuer.ca<http://did.example-issuer.ca> IN URI 1 0 “did:web:example-issuer.ca<http://example-issuer.ca>”_* This relationship enhances security, as an entity would require control over both the DID and the domain’s DNS server to create this bidirectional association, reducing the likelihood of malicious impersonation. I don't follow how this works. Once you are signing using a key in the DNS, how does this new record help? S 3.4.3. Hosting the public keys in TLSA records provides a stronger mechanism for the verifier to verify a did and its associated entity with, as they are able to perform a cryptographic challenge against the DID using the corresponding TLSA records, or against the domain using the corresponding [verificationMethod] in the DID document. The accessibility of the public keys is also beneficial, as the verifier does not need to resolve the DID document to accesss its associated key material, enhancing interoperability. I'm not sure what you are contrasting hosting the keys in DNS to. Can you expand. On Mon, Sep 9, 2024 at 10:44 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote: Thanks Jacques! We will add it to the list of topics to discuss. Will you be attending in person or remote? Regards, Rifaat On Thu, Aug 29, 2024 at 8:57 AM Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org<mailto:40cira.ca@dmarc.ietf.org>> wrote: Hi, ACME recommended this should be sent here for considerations. Looking forward to see what you think and where home is 😉. Jacques From: Jacques Latour <Jacques.Latour@cira.ca<mailto:Jacques.Latour@cira.ca>> Sent: August 28, 2024 4:30 PM To: acme@ietf.org<mailto:acme@ietf.org> Cc: Jacques Latour <Jacques.Latour@cira.ca<mailto:Jacques.Latour@cira.ca>>; Jesse Carter <Jesse.Carter@cira.ca<mailto:Jesse.Carter@cira.ca>>; Mathieu Glaude <mathieu@northernblock.io<mailto:mathieu@northernblock.io>>; Tim Bouma <tim.bouma@dgc-cgn.org<mailto:tim.bouma@dgc-cgn.org>> Subject: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS Hi all! First time asking for an internet draft adoption. • https://datatracker.ietf.org/doc/draft-carter-high-assurance-dids-with-dns/ As one of the authors of the internet draft titled "High Assurance DIDs with DNS" (draft-carter-high-assurance-dids-with-dns), I am writing to request the ACME Working Group to review and consider adopting this draft as part of your working group. The draft proposes a method for integrating high assurance Decentralized Identifiers (DIDs) with the Domain Name System (DNS), aiming to enhance the security and reliability of DIDs by leveraging the established trust infrastructure of DNS. We believe that this integration aligns well with the goals and expertise of the ACME Working Group, particularly in the areas of secure and automated certificate management. We would greatly appreciate the opportunity to present this draft to the working group and discuss its potential benefits and implementation details. Your feedback and guidance would be invaluable in refining the draft and ensuring its alignment with the broader objectives of the IETF. Please let us know if there are any specific procedures or additional information required for this request. We are eager to collaborate with the ACME Working Group and contribute to the advancement of secure and reliable internet standards. In terms of support and reference for this draft, we have the following references that may help justify our ask. • https://dhs-svip.github.io/requirements-for-decentralized-identity/TrustArchitecture/ • DID Specification Registries (w3c.github.io)<https://w3c.github.io/did-spec-registries/#dnsvalidationdomain> • Trust DID Web - The did:tdw DID Method (bcgov.github.io)<https://bcgov.github.io/trustdidweb/> Example DNS implementation: $ dig _did.trustroot.ca<http://did.trustroot.ca> uri +dnssec +multi _did.trustroot.ca<http://did.trustroot.ca>. 3518 IN URI 0 0 "did:web:trustroot.ca<http://trustroot.ca>" _did.trustroot.ca<http://did.trustroot.ca>. 3518 IN RRSIG URI 13 3 3600 ( 20240905000000 20240815000000 17999 trustroot.ca<http://trustroot.ca>. 4CJsquY7BEcA2YX1iWHIKzXx4lEvWa7k8JWNbp4zu3dp KQXdwZ73geTKgzfNz9g5+HyckxTyNyz8LU8lA+G4lg== ) $ dig _did.trustroot.ca<http://did.trustroot.ca> tlsa +dnssec +multi _did.trustroot.ca<http://did.trustroot.ca>. 3527 IN TLSA 3 1 1 ( CEEAD59AAE176DDD8889DF0B02083CB393D07655CBA9 D668EA334ABDBDB72A39 ) _did.trustroot.ca<http://did.trustroot.ca>. 3527 IN TLSA 3 1 0 ( 302A300506032B6570032100C300A443F0427440AC90 BDA85B4F97896879564A7AB649B976FA7D15FEAFC225 ) _did.trustroot.ca<http://did.trustroot.ca>. 3527 IN RRSIG TLSA 13 3 3600 ( 20240905000000 20240815000000 17999 trustroot.ca<http://trustroot.ca>. z/E+jECtQzNi0zcBcrVa8P8UKiHx5SHcSEmN2vR6Oe4t nfvjso/8/ZXo/IlWtoqgIYrCeJJ9NLFTu/q0cGwUIg== ) Thank you for your time and consideration. Best regards, Jacques, Jesse, Mathieu and Tim. CLASSIFICATION:CONFIDENTIAL _______________________________________________ Secdispatch mailing list -- secdispatch@ietf.org<mailto:secdispatch@ietf.org> To unsubscribe send an email to secdispatch-leave@ietf.org<mailto:secdispatch-leave@ietf.org> _______________________________________________ Secdispatch mailing list -- secdispatch@ietf.org<mailto:secdispatch@ietf.org> To unsubscribe send an email to secdispatch-leave@ietf.org<mailto:secdispatch-leave@ietf.org>
- [Secdispatch] Re: Request for Review and Adoption… Jacques Latour
- [Secdispatch] Re: Request for Review and Adoption… Rifaat Shekh-Yusef
- [Secdispatch] Re: Request for Review and Adoption… Eric Rescorla
- [Secdispatch] Re: Request for Review and Adoption… Arnaud Taddei
- [Secdispatch] Re: [EXT] Re: Re: Request for Revie… Jesse Carter
- [Secdispatch] Re: [EXT] Re: Re: Request for Revie… Jesse Carter