Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 12 July 2022 21:32 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8D93C157B4A for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 14:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmRFct7gkoGz for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 14:32:20 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9C1C159480 for <secdispatch@ietf.org>; Tue, 12 Jul 2022 14:32:19 -0700 (PDT)
Received: from dooku.sandelman.ca (cpef81d0f835a73-cmf81d0f835a70.sdns.net.rogers.com [174.115.215.42]) by relay.sandelman.ca (Postfix) with ESMTPS id 412741F47D; Tue, 12 Jul 2022 21:32:18 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 44A9A1A051E; Tue, 12 Jul 2022 17:32:16 -0400 (EDT)
Received: from dooku (localhost [127.0.0.1]) by dooku.sandelman.ca (Postfix) with ESMTP id 422B91A0373; Tue, 12 Jul 2022 17:32:16 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org>
cc: "secdispatch@ietf.org" <secdispatch@ietf.org>
In-reply-to: <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se>
Comments: In-reply-to Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> message dated "Fri, 08 Jul 2022 15:01:25 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 12 Jul 2022 17:32:16 -0400
Message-ID: <758931.1657661536@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jzEV2BjYIQggtWp_zZeKIv2Eby0>
Subject: Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 21:32:23 -0000
Stefan Halen <stefan.halen=40internetstiftelsen.se@dmarc.ietf.org> wrote: > The metadata is also used for discovery. The client normally select a > server based on metadata claims (e.g., organization, tags). The client > connects to the server's base_uri, also found in metadata. > The federation operator must keep track of the members and which > combinations of tags and peer type each member may publish. > To enable self-signed certificates, there is the possibility of > publishing issuers. Perhaps I'll understand the problem more after you revise the document, or maybe your slides will motivate things. I am generally enthusiastic about anything that pushes for more use of mutual TLS authentication! I understood part of the solution, but I completely did not understand what problem you are dealing with!!! > Issuers are for reverse proxys that do not support optional_no_ca. Pin > validation is performed by the application If I understood this comment, the issue is that are TLS terminating proxies that can only validate client TLS certificates from CAs that they have been configured with. They can not opportunistically use a certificate provided in the TLS setup to complete the TLS connection, and then allow an application framework behind them to indicate if the client certificate should have been accepted or not. I don't yet understand how your protocol solves this, but I think that RFC8995 could suffer from this constraint in the Registrar->MASA connection. https://datatracker.ietf.org/doc/draft-bdc-something-something-certificate/ tried to find a place to be adopted, and I think that had it gotten somewhere that it might have helped you. (Yes, there are issues of how to make this work with TLS 1.3 re-authentication) -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Secdispatch] Requesting agenda time for draft-ha… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Mike Ounsworth
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] Requesting agenda time for draf… Roman Danyliw