IETF Logo Mail Archive

Re: [TLS] I-D on TLS authentication with VC

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 07 April 2024 17:43 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1065DC14F5F7 for <tls@ietfa.amsl.com>; Sun, 7 Apr 2024 10:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GasMuKPpbye5 for <tls@ietfa.amsl.com>; Sun, 7 Apr 2024 10:43:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF345C14F5F1 for <tls@ietf.org>; Sun, 7 Apr 2024 10:43:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1712511827; x=1713116627; i=hannes.tschofenig@gmx.net; bh=8QLXzfLL+qYrf1/zZ5sl4t4vFhI+6sLbO+jxce+V9MQ=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=KUNY+Dhw3H12+uhhK8nCUDOCTe1lEVdBejZ5QrwLiO922FWkVZkDH7WdpWtDJmAF yH8taTilFP+twm+6YEY4SabS2jungt/J4JtwCn4pFt1zI5x9IMPXk8Ct9WvQpXY9A 9IzuBOX+zJvgXtIxJnxmMT8p+Efq531QBFPla0cNL/fkzu84BnypZGhRfyJgIYCSw 2FWRl/MkAJveNULj1ZzdRqp31fSWfxfeOPgle4OLH9tvrrShFObYr/8W7FuhBp8nX U2LDtxX3sBjPl2jIUEtF5gcOccp+xn1ODLxI4MpQpRH6coS10OdGXURdeI58a/fs2 MUcga4qhxojD1JMKOQ==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.21] ([87.122.57.79]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MVNAr-1sKiKC1Kjv-00SNE8; Sun, 07 Apr 2024 19:43:47 +0200
Message-ID: <ab1c193d-fdb1-4713-a775-8db26f4f5c5f@gmx.net>
Date: Sun, 07 Apr 2024 19:43:46 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Andrea Vesco <andrea.vesco@linksfoundation.com>, "tls@ietf.org" <tls@ietf.org>
References: <F515427B-EE5A-4514-9787-8BB3F95FC380@linksfoundation.com> <01d001da867a$f43dbdb0$dcb93910$@gmx.net> <7636CB52-2A8D-4851-88E9-1DA86196A3F2@linksfoundation.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <7636CB52-2A8D-4851-88E9-1DA86196A3F2@linksfoundation.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:aF0QILkW3KmvABsVFnqbmIwLdfslwVBLksOxC4LGD1UDLOR65qx eLVojSPuijLCMmJ3bxJM5vdBel8B9H2SQnkEXzWtzjWLvt0LkK8ICiLQ2vxYw1Piz192kth yxMDuxTMac60M4VTfoa3Whx/zJ/966qKhV65RDZ6CLb2y8v7ep6XWR/NNm1SztztX0za9o9 9PtTE+8xvv97vZ/MjJ4zA==
UI-OutboundReport: notjunk:1;M01:P0:VWtGMx+wZ4c=;H2u/4L9FHNL2dg9TU/JmQKRlN6R y0XayTY8ItYyyz4RXFGZ4DanyU66l8/qHiF33EX/Z5Py2XoyAwiLQw+qMWbI0o0JICzZh59uk ScRigS0I2hxmeVjvcv4G+LxRGn2T/5MoFQ/I+l3J3pRJevgvpAtQ1XA0BI+BMXGipg1fq63gp 1OIE95LoFHCc6KaguogOgbSZuFsiFoKtrLZF8haNjoZyOwVNrMTWhIh8xbgsGfbIB+Ihs6DOv vxYwcKzu1lK3W7Nf6OcR+qS7U7YtKYmDiREeV05sASf9piOjOpUs8YR+7ihGXg0MD9JuMLkFv HbKCbmFlUdVjLktt8HRr9bNK5Mkbko+/au1RdQymdIgc9tv1aAsmwPhHNm1pmBRSgiftxmRTc wnzPkc2njePMZh4ZZqeOABLMFGpbadJXNuA7bMnGEMQ1zVSMvtChBd4gWq77mLOrkUh0OihZM DS4ymo9mtkkOc0v766+UhrKVAhgXWXxG/87j875oA2xGCDsgBELWYCEqxC47FMURXB0BsiWVj A754pwE8CH3rdnGYVryNbRhwTjNGxhwEXDskIWkTOBGQ2pFVUFFso9znFeae/Ikd9c+N4OKSL ZQj7eHVHQjs6RVNZzSXjhoxF9kg6YwX51tUfnuJHlLPz3Org37rwNpCkzocW6UyzsRuTB1HFe x2xGppec5ePzmZvpN7FsxEWRFdkhCx9O1BCDOxBAHoUeUpmPOSbSPbhinIkkK78cRYCi/JcNu Dov/Q99NBNJWlAs1Iw59l85uhxQ6/vF7m8ndDX617aHDFrWC7PlHs2BDyYs9JENwTCrU5pBKN 059WNiwetzh28Qr/Yq4qRa2KvbfXbuE2dgeQXZR6C/sIw=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CNfFwxJPfV2OGjJv2QIuBsn7XEs>
Subject: Re: [TLS] I-D on TLS authentication with VC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2024 17:43:55 -0000

Hi Andrea


thanks for the extra background.


How do you plan to deal with the large number of DID methods?
Standardization of many of the DID methods has not been finished and
they appear to have vastly different security properties, even for the
most basic DID methods like did:web and did:key. It sounds difficult to
accomplish interoperability in such a flexible system.


Ciao
Hannes


Am 05.04.2024 um 12:12 schrieb Andrea Vesco:
> Hi Hannes, thanks for your question.
>
> We are referring to a (well-resourced) IoT system with edge computing nodes. In the IoT/edge segment, the VC can be used for mutual authentication directly in TLS to avoid the only option available today: first establish a TLS channel with X.509 based server-only authentication and, second, authenticate the client with its VC on top of the TLS channel. The Client authentication at the application layer works well, but in our opinion, only in web scenarios.
> In addition, using the client_certificate_type and server_certificate_type extensions would also enable the option of hybrid (VC - X.509) mutual authentication in the edge/cloud segment at the TLS layer.
> In our opinion, this is an incremental approach to support the adoption of VC and DID technologies in IoT systems.
>
> Best, Andrea
>
>
>> On 4 Apr 2024, at 12:29, hannes.tschofenig@gmx.net wrote:
>>
>> Hi Andrea,
>>
>> Thanks for sharing the info.
>>
>> Could you say a bit more about your IoT use case?
>>
>> Ciao
>> Hannes
>>
>> -----Original Message-----
>> From: TLS <tls-bounces@ietf.org> On Behalf Of Andrea Vesco
>> Sent: Donnerstag, 4. April 2024 10:53
>> To: tls@ietf.org
>> Subject: [TLS] I-D on TLS authentication with VC
>>
>> L. Perugini and I have written an I-D on the use of Verifiable Credentials [1][2] as an additional authentication mode in TLS.  We presented the I-D to the ALLDISPATCH WG during IETF119 and the outcome was to explore the potential interest of the TLS WG. The I-D proposes to add (i) a new Certificate Type called VC in addition to X509 and RawPublicKey to the existing client_certificate_type and server_certificate_type extensions and (ii) a new extension called did_methods to carry the list of DID Methods supported by the endpoint to resolve the peer's DID during the validation of the Verifiable Credential. The I-D focuses on the IoT use case.
>>
>> We are aware of the current discussion in the working group about new code points and would like to know your opinion in the case of this I-D and to explore the possible interest. Thank you in advance for your feedback.
>>
>> I-D: https://datatracker.ietf.org/doc/draft-vesco-vcauthtls/
>> Code:
>> - Provider https://github.com/Cybersecurity-LINKS/openssl-ssi-provider
>> - OpenSSL https://github.com/Cybersecurity-LINKS/openssl
>>
>> [1] https://www.w3.org/TR/vc-data-model-2.0/
>> [2] https://www.w3.org/TR/did-core/
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>

v2.23.0 | Report a Bug | By Email