[Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS

Arnaud Taddei <arnaud.taddei@broadcom.com> Mon, 04 November 2024 14:10 UTC

Return-Path: <arnaud.taddei@broadcom.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E90DC1840E6 for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 06:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.051
X-Spam-Level:
X-Spam-Status: No, score=-2.051 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUHlx2N5u9he for <secdispatch@ietfa.amsl.com>; Mon, 4 Nov 2024 06:10:18 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20E87C20796D for <secdispatch@ietf.org>; Mon, 4 Nov 2024 06:10:18 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-431548bd1b4so34799835e9.3 for <secdispatch@ietf.org>; Mon, 04 Nov 2024 06:10:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1730729416; x=1731334216; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=4HyPsc5WMzsp5TpmOc4w1ZeCYZLEZxRQ5lUTfrmxgBg=; b=QEJ1LRoN1dfOK1tbECVVOUVxIEJNyOFO5FPiXizUO3Qamft5Gx6HMawVceSRRj4vCw 1raPCgnDPaei1voGFlKtw44nmf3NqGM//LuT1PskaPnGMxozTX/NeCAqVYmMrDkSXoa4 XNQmnnP73CQkBYmfmGlXxnkr+RuqjNHcAs9K0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1730729416; x=1731334216; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4HyPsc5WMzsp5TpmOc4w1ZeCYZLEZxRQ5lUTfrmxgBg=; b=e04T/SgCNZ9hFBZvQYPbz8GS9TwWv5oUMALY6ezEqDFu5Tdj1BaF5h6wU98o2J5QGS usZNS8qo0aj0pjVkn2XfcqMSOltRYqypqJ6PG5FetWp9ZKBl6q1qPArueoINhyv6qRUf aM5TT3f6WkHibkcRzQuEBtl59ZbTHYAiNT9Y9TVunz/JpITjdUFK07KbBYGMOWlf3cgW L/hrtVZjLpKhS90Dsf/tHVNgjg8CPWvAVz2kC7oMN4VYfAgFeaU/Z3VKFzQah6cRYHdT RHIqiBfgq43AE7erB9nks/VC9KR8ZJdi9Af/QlS8JjiRytYDmAgKj+8vrkaxgsFEoSz4 RP0w==
X-Forwarded-Encrypted: i=1; AJvYcCVSTpJS60MWJ9tOorzRp1LFWHtreiRGv9TlTEVLnWmlx5BFgo2w4GvYy+Btzx9EaYVs6qPHHBEInJfx1A==@ietf.org
X-Gm-Message-State: AOJu0Yy0vcTrhxPBpCLrqszC1bvGY9HvVdJ18rd0SsPd4g4BpcNJ1QBa aCQIYrnXWqSFZUd844uSxfnxnKEqmm37N6jPrmf7W+W4qBcqjxH6eRih59nz1a9TQMUz80EsIE9 vz4shrE9Oq0ekLBa7QM4SJTikJvkFk/5Ngj9TcnHR
X-Google-Smtp-Source: AGHT+IFG7S2cdIHYy5FmpkjPwXlJ1Qms+A8ZTuWhRANAW7XaI0Iu32hBq3MHyVZH0LwATcDgu326HA==
X-Received: by 2002:a05:600c:1987:b0:431:6083:cd2a with SMTP id 5b1f17b1804b1-4328324d6bfmr95712095e9.15.1730729415827; Mon, 04 Nov 2024 06:10:15 -0800 (PST)
Received: from smtpclient.apple ([81.173.15.10]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4327d5ab2aasm154273115e9.6.2024.11.04.06.10.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Nov 2024 06:10:14 -0800 (PST)
From: Arnaud Taddei <arnaud.taddei@broadcom.com>
Message-Id: <D2933A25-747C-4B87-99A0-7A4764754572@broadcom.com>
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Date: Mon, 04 Nov 2024 14:10:03 +0000
In-Reply-To: <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
References: <YT2P288MB0252E6E515F3E9A5833C32488A952@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <YT2P288MB02523F41AE4C3EBCDE33D38C8A962@YT2P288MB0252.CANP288.PROD.OUTLOOK.COM> <CADNypP9-Zk3B_hwvpk9z2mQhfxPbgp0g_BFDgj09B=aBOZ_egw@mail.gmail.com> <CABcZeBNa7KG4SNxqpJnNhA9KtyOiO5e9efb-xX+m9p0od7hzxA@mail.gmail.com>
X-Mailer: Apple Mail (2.3776.700.51)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5A4F8DE8-E399-481D-809B-C18BDA7A9280"
Message-ID-Hash: BE4UUMMVC2WGL2PVSR7AWSRMPUS6HLLB
X-Message-ID-Hash: BE4UUMMVC2WGL2PVSR7AWSRMPUS6HLLB
X-MailFrom: arnaud.taddei@broadcom.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Jesse Carter <Jesse.Carter@cira.ca>, Mathieu Glaude <mathieu@northernblock.io>, Tim Bouma <tim.bouma@dgc-cgn.org>, Jim Fenton <fenton@bluepopcorn.net>, "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Secdispatch] Re: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/yt8YKxl8m4m8CX3G6cAIxAiVLt4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>

+1 on 

> "The appropriate place for this work is in
> the W3C DID WG. I might feel differently if the W3C were to sendd us a
> liaison statement asking us to pick up this work."

Arnaud Taddei
Global Security Strategist | Enterprise Security Group

mobile: +41 79 506 1129 
Geneva, Switzerland
arnaud.taddei@broadcom.com <mailto:arnaud.taddei@broadcom.com> | broadcom.com

> On 3 Nov 2024, at 21:36, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> DISPATCH COMMENTS
> I do not think that the IETF is the proper location for this
> document. DIDs are not an IETF product and there's very little
> IETF-specific in this WG. The appropriate place for this work is in
> the W3C DID WG. I might feel differently if the W3C were to sendd us a
> liaison statement asking us to pick up this work.
> 
> 
> TECHNICAL COMMENTS
> 
> * did:web
> I understand the design you have for did:X where X != Web, where
> there is a signature from some key that is in the DNS. But
> with did:web, it seems like instead the key is being used to
> validate the TLS connection to the Web server? This seems
> quite a bit weaker. Why not sign all th time?
> 
> * DNSSEC
> I think this really needs to require DNSSEC all the time. I
> have concerns about the deployability of DNSSEC, but I don't
> see how this mechanism adds real safety without that.
> 
> S 3.3.
>    The association to a domain stemming only from the did is
>    unidirectional.  By leveraging URI records as outlined in
>    [DID-in-the-DNS], we can create a bidirectional relationship,
>    allowing a domain to publish their associated DID in the DNS.
> 
>    *_Ex: _did.example-issuer.ca <https://www.google.com/url?q=http://did.example-issuer.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1ZqenU3nqF74NQcYpUpOl_> IN URI 1 0 “did:web:example-issuer.ca <https://www.google.com/url?q=http://example-issuer.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw2YS4iC3JTD6qTKFtyPdtse>”_*
> 
>    This relationship enhances security, as an entity would require
>    control over both the DID and the domain’s DNS server to create this
>    bidirectional association, reducing the likelihood of malicious
>    impersonation.
> 
> I don't follow how this works. Once you are signing using a key
> in the DNS, how does this new record help?
> 
> 
> S 3.4.3.
> 
>    Hosting the public keys in TLSA records provides a stronger mechanism
>    for the verifier to verify a did and its associated entity with, as
>    they are able to perform a cryptographic challenge against the DID
>    using the corresponding TLSA records, or against the domain using the
>    corresponding [verificationMethod] in the DID document.  The
>    accessibility of the public keys is also beneficial, as the verifier
>    does not need to resolve the DID document to accesss its associated
>    key material, enhancing interoperability.
> 
> I'm not sure what you are contrasting hosting the keys in DNS to. Can you
> expand.
> 
> 
> 
> 
> 
> On Mon, Sep 9, 2024 at 10:44 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
>> Thanks Jacques!
>> We will add it to the list of topics to discuss.
>> Will you be attending in person or remote?
>> 
>> Regards,
>>  Rifaat
>> 
>> 
>> On Thu, Aug 29, 2024 at 8:57 AM Jacques Latour <Jacques.Latour=40cira.ca@dmarc.ietf.org <mailto:40cira.ca@dmarc.ietf.org>> wrote:
>>> Hi,
>>> 
>>>  
>>> 
>>> ACME recommended this should be sent here for considerations.
>>> 
>>>  
>>> 
>>> Looking forward to see what you think and where home is 😉.
>>> 
>>>  
>>> 
>>> Jacques
>>> 
>>>  
>>> 
>>>  
>>> 
>>> From: Jacques Latour <Jacques.Latour@cira.ca <mailto:Jacques.Latour@cira.ca>> 
>>> Sent: August 28, 2024 4:30 PM
>>> To: acme@ietf.org <mailto:acme@ietf.org>
>>> Cc: Jacques Latour <Jacques.Latour@cira.ca <mailto:Jacques.Latour@cira.ca>>; Jesse Carter <Jesse.Carter@cira.ca <mailto:Jesse.Carter@cira.ca>>; Mathieu Glaude <mathieu@northernblock.io <mailto:mathieu@northernblock.io>>; Tim Bouma <tim.bouma@dgc-cgn.org <mailto:tim.bouma@dgc-cgn.org>>
>>> Subject: Request for Review and Adoption of Internet Draft: High Assurance DIDs with DNS
>>> 
>>>  
>>> 
>>> Hi all!
>>> 
>>>  
>>> 
>>> First time asking for an internet draft adoption.
>>> 
>>>  
>>> 
>>> ·         https://datatracker.ietf.org/doc/draft-carter-high-assurance-dids-with-dns/ <https://www.google.com/url?q=https://datatracker.ietf.org/doc/draft-carter-high-assurance-dids-with-dns/&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1ogj06MGAolSgLugBTjbPq>
>>>  
>>> 
>>> As one of the authors of the internet draft titled "High Assurance DIDs with DNS" (draft-carter-high-assurance-dids-with-dns), I am writing to request the ACME Working Group to review and consider adopting this draft as part of your working group.
>>> 
>>> 
>>> The draft proposes a method for integrating high assurance Decentralized Identifiers (DIDs) with the Domain Name System (DNS), aiming to enhance the security and reliability of DIDs by leveraging the established trust infrastructure of DNS. We believe that this integration aligns well with the goals and expertise of the ACME Working Group, particularly in the areas of secure and automated certificate management.
>>> 
>>> We would greatly appreciate the opportunity to present this draft to the working group and discuss its potential benefits and implementation details. Your feedback and guidance would be invaluable in refining the draft and ensuring its alignment with the broader objectives of the IETF.
>>> 
>>> Please let us know if there are any specific procedures or additional information required for this request. We are eager to collaborate with the ACME Working Group and contribute to the advancement of secure and reliable internet standards.
>>> 
>>> In terms of support and reference for this draft, we have the following references that may help justify our ask.
>>> 
>>>  
>>> 
>>> ·         https://dhs-svip.github.io/requirements-for-decentralized-identity/TrustArchitecture/ <https://www.google.com/url?q=https://dhs-svip.github.io/requirements-for-decentralized-identity/TrustArchitecture/&source=gmail-imap&ust=1731274658000000&usg=AOvVaw3CKLhB9FM1v13XEhrWMfv_>
>>> ·         DID Specification Registries (w3c.github.io) <https://www.google.com/url?q=https://w3c.github.io/did-spec-registries/%23dnsvalidationdomain&source=gmail-imap&ust=1731274658000000&usg=AOvVaw34IbVkaMbfNTct5EGApM90>
>>> ·         Trust DID Web - The did:tdw DID Method (bcgov.github.io) <https://www.google.com/url?q=https://bcgov.github.io/trustdidweb/&source=gmail-imap&ust=1731274658000000&usg=AOvVaw2YLyJc19O8s3fS1dpEj07l>
>>>  
>>> 
>>> Example DNS implementation:
>>> 
>>>  
>>> 
>>> $ dig _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb> uri +dnssec +multi
>>> 
>>>  
>>> 
>>> _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb>.      3518 IN URI 0 0 "did:web:trustroot.ca <https://www.google.com/url?q=http://trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw3j4bQYtHTFfyqTKusv6eNT>"
>>> 
>>> _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb>.      3518 IN RRSIG URI 13 3 3600 (
>>> 
>>>                                 20240905000000 20240815000000 17999 trustroot.ca <https://www.google.com/url?q=http://trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw3j4bQYtHTFfyqTKusv6eNT>.
>>> 
>>>                                 4CJsquY7BEcA2YX1iWHIKzXx4lEvWa7k8JWNbp4zu3dp
>>> 
>>>                                 KQXdwZ73geTKgzfNz9g5+HyckxTyNyz8LU8lA+G4lg== )
>>> 
>>>  
>>> 
>>> $ dig _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb> tlsa +dnssec +multi
>>> 
>>>  
>>> 
>>> _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb>.      3527 IN TLSA 3 1 1 (
>>> 
>>>                                 CEEAD59AAE176DDD8889DF0B02083CB393D07655CBA9
>>> 
>>>                                 D668EA334ABDBDB72A39 )
>>> 
>>> _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb>.      3527 IN TLSA 3 1 0 (
>>> 
>>>                                 302A300506032B6570032100C300A443F0427440AC90
>>> 
>>>                                 BDA85B4F97896879564A7AB649B976FA7D15FEAFC225 )
>>> 
>>> _did.trustroot.ca <https://www.google.com/url?q=http://did.trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw1x9FVNlH8n_J85rAgA8ztb>.      3527 IN RRSIG TLSA 13 3 3600 (
>>> 
>>>                                 20240905000000 20240815000000 17999 trustroot.ca <https://www.google.com/url?q=http://trustroot.ca&source=gmail-imap&ust=1731274658000000&usg=AOvVaw3j4bQYtHTFfyqTKusv6eNT>.
>>> 
>>>                                 z/E+jECtQzNi0zcBcrVa8P8UKiHx5SHcSEmN2vR6Oe4t
>>> 
>>>                                 nfvjso/8/ZXo/IlWtoqgIYrCeJJ9NLFTu/q0cGwUIg== )
>>> 
>>>  
>>> 
>>> Thank you for your time and consideration.
>>> 
>>> Best regards,
>>> 
>>> Jacques, Jesse, Mathieu and Tim.
>>> 
>>>  
>>> 
>>>  
>>> 
>>>  
>>> 
>>> CLASSIFICATION:CONFIDENTIAL
>>> 
>>> _______________________________________________
>>> Secdispatch mailing list -- secdispatch@ietf.org <mailto:secdispatch@ietf.org>
>>> To unsubscribe send an email to secdispatch-leave@ietf.org <mailto:secdispatch-leave@ietf.org>
>> _______________________________________________
>> Secdispatch mailing list -- secdispatch@ietf.org <mailto:secdispatch@ietf.org>
>> To unsubscribe send an email to secdispatch-leave@ietf.org <mailto:secdispatch-leave@ietf.org>
> _______________________________________________
> Secdispatch mailing list -- secdispatch@ietf.org
> To unsubscribe send an email to secdispatch-leave@ietf.org


-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.