IETF Logo Mail Archive

Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 12 July 2022 21:32 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D93C157B4A for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 14:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmRFct7gkoGz for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 14:32:20 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9C1C159480 for <secdispatch@ietf.org>; Tue, 12 Jul 2022 14:32:19 -0700 (PDT)
Received: from dooku.sandelman.ca (cpef81d0f835a73-cmf81d0f835a70.sdns.net.rogers.com [174.115.215.42]) by relay.sandelman.ca (Postfix) with ESMTPS id 412741F47D; Tue, 12 Jul 2022 21:32:18 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 44A9A1A051E; Tue, 12 Jul 2022 17:32:16 -0400 (EDT)
Received: from dooku (localhost [127.0.0.1]) by dooku.sandelman.ca (Postfix) with ESMTP id 422B91A0373; Tue, 12 Jul 2022 17:32:16 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org>
cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
In-reply-to: <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
Comments: In-reply-to Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> message dated "Fri, 08 Jul 2022 15:01:25 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 12 Jul 2022 17:32:16 -0400
Message-ID: <758931.1657661536@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jzEV2BjYIQggtWp_zZeKIv2Eby0>
Subject: Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 21:32:23 -0000

Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> wrote:
    > The metadata is also used for discovery. The client normally select a
    > server based on metadata claims (e.g., organization, tags). The client
    > connects to the server's base_uri, also found in metadata.

    > The federation operator must keep track of the members and which
    > combinations of tags and peer type each member may publish.

    > To enable self-signed certificates, there is the possibility of
    > publishing issuers.

Perhaps I'll understand the problem more after you revise the document, or
maybe your slides will motivate things.  I am generally enthusiastic about
anything that pushes for more use of mutual TLS authentication!

I understood part of the solution, but I completely did not understand what
problem you are dealing with!!!

    > Issuers are for reverse proxys that do not support optional_no_ca. Pin
    > validation is performed by the application

If I understood this comment, the issue is that are TLS terminating proxies
that can only validate client TLS certificates from CAs that they have been
configured with.

They can not opportunistically use a certificate provided in the TLS setup to
complete the TLS connection, and then allow an application framework behind
them to indicate if the client certificate should have been accepted or not.

I don't yet understand how your protocol solves this, but I think that
RFC8995 could suffer from this constraint in the Registrar->MASA connection.

https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/
tried to find a place to be adopted, and I think that had it gotten somewhere
that it might have helped you.
(Yes, there are issues of how to make this work with TLS 1.3 re-authentication)

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email