IETF Logo Mail Archive

[TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Mon, 26 January 2026 17:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 77F66AD454B6 for <tls@mail2.ietf.org>; Mon, 26 Jan 2026 09:59:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QShK_Z1ee8MP for <tls@mail2.ietf.org>; Mon, 26 Jan 2026 09:59:33 -0800 (PST)
Received: from mail-yx1-xb136.google.com (mail-yx1-xb136.google.com [IPv6:2607:f8b0:4864:20::b136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0CCA1AD45421 for <tls@ietf.org>; Mon, 26 Jan 2026 09:59:33 -0800 (PST)
Received: by mail-yx1-xb136.google.com with SMTP id 956f58d0204a3-649488dc7bdso4441276d50.0 for <tls@ietf.org>; Mon, 26 Jan 2026 09:59:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769450366; cv=none; d=google.com; s=arc-20240605; b=J+TlCPki+Pb95b8iRgDLxCgOa9Z/4gbktyUr0+qqD5U5JK2oJqPDe2oJoJazrBmAsy bUtg7jGkdnGXL1L5G2rNT38f0ihykEY0wCt91YcQpINimG0JN6ti8fcLp+BSpYSCuUJd QWCmvLmd/8Km6OesMNnlRCmtCTTj4VHu1AL+jjhQJaYnLDuzc7JfD04Wcq6dmgw8y3PD kvxraQXFM0KbjXIqlXMEadgBIAXK2WBuO6z20Vj/umSORImuO1FWGPWFGyMpg+Umx0pF MxczFhQdZ1m+tZZUzB+nGbprJVHZHys76/i0FJSfHXkbLwJkjwStwLs+4KDp+9AxTNrg Yayw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=7CNOz60nJZ4rCnKbr1FU+SwQl8A1Qp198Vh2PISmtoU=; fh=Dvmrh3hk99TfH65HyZQwloYpPQUiZ8ZJa1tU3rcYyZI=; b=EitkAMYFFc6szSezQ6rUU9loGWeyGqAN6Ff5UXoT596L2iVjE54O0l4xPLJ/EtP824 GUBY3jrOMdTMGEmZ/k0T1Z/RcaW+GQ2k9zPSN6KvAJY4Xde3y1O23pFMAkNtzTJOBmVG X1C4iUq951H1gX3gHTozI+dHhFbdMAIse6FtaBCf/CaTO/TVY3WB+cqki1afK2Iic8lr YPDubaukOM4Jy2vGkSnnqwce+T0snKT4PtXhZJfSB4QwbJZrb4Bgwx8XVve86CKAId2Q xMZdEHB+YZs22YuPfdpQ8mSndpWWTXX4h/v1LKA47BUE0sInKnEtnPGyxP0MWNJSh5hW BTAg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1769450366; x=1770055166; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7CNOz60nJZ4rCnKbr1FU+SwQl8A1Qp198Vh2PISmtoU=; b=xllGs0Q10mPnwJMdPY3JvrgTRSyRGKjqKSKBA5lLiYp4qeTFfzOp+g39xVVjROMghg UDdwkK/WLpGmio7ANf040xFfEYnRBxnkP+MNyNpWgjppQP33QgwZchPg5dtt4xBVF5eG EW/GiVf+BdaVNXVATRtCzoEZv/4Jxf3lhc09FwrnW+g0GGHMRsBy0XCAp1PaG4ztJAQY OHUjkuG1RM6YZxbzs1u+dahkt6NO423FuZEil79F9u+r5teo1Ab2mI7gfIPvBmv0mXQg /MQGC8Sqce1+YLrM1rHYZva750aiakGS30nQNFmvzxMdpNaHJ2HJuXr2t16C7DYtXy7i S+HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769450366; x=1770055166; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7CNOz60nJZ4rCnKbr1FU+SwQl8A1Qp198Vh2PISmtoU=; b=MqG+Bsx2eF0s/Qt6pQIm4RAdM4AjZRdaGri38vGi87GbgDz0pj4sIc4kfcTMocAJA8 kxt0843Ut/qL2NK0dPCAgsv2Cc7vnXLWhNht2oImK8jwrNFCSNUAq6vOnu/7xJwPsWCt OHe/wRjOcPzlPpbT5ZVltdel2OSF/NJxrJiyt501bA2BSCljGzkh1dntdXXZbgOLzQ5K 4uaykeKJFUQDACCF2k46mLzFoE/Y06HUD3hn3XpQ1VmtXY4Msx6azuspo3RFeBmbsh3G 6fP+hES6GuRfv7XWIpDTMDg+s8IwhflvaXvZa+o+V8UP4PsXqkab9pOEg60QLoHpWTJg PwSg==
X-Forwarded-Encrypted: i=1; AJvYcCVgz5GaOXrExpgyI5+I5gYOfLIWEQz8YFYcHszKmJ2GBXN8XBxN41+GeIxlnbhWQkLQAsI=@ietf.org
X-Gm-Message-State: AOJu0YyyUXBU3DZLVsxpMa+aayRFjlagF9zwETmo9V19WeRTp/8FZf6F tdQrJbUZH708dO24095Y8g4395bva9vJPwpXuM17A5L+FDa7lspdjP99yPy1z4/eeH2lv9Tc+2E AL3zF7qh11Y84PS1I6MkXx8YYHAQXhXfE96MQfUWGLA==
X-Gm-Gg: AZuq6aJ5rSdNm3FIr4aB+lL8KO3SmR1vPfNaLxevAWYpkK8q4qeFuzdRJHN/CF4gij1 2rEAidfekXfCUFew77UbO1t5QlhGvVguC/D9iQRAC0RJ3OriENinacvoEVZRFgaiTamm2H2+lhx RTQdkPxRVxjEREwK1858Lj9sVpzoyeiSgGCPVW2R9Z5E9QtMAaLlamszhwjk9wZLBtQmIhqV8/k O/6MdAlv/2l1csl2Hg313LYADLehs5DzvVQuYZstiG6ZicBC071L1KBRTRgGObI5Hm20a0FNMZt Mb+x/O93olMHsg34WBlKKTOZE6u4AiddFejLaLWGS+jz63mvB+QRQzbLXtNXxdfBVP7NYjktDX2 CRtb6tEjajA==
X-Received: by 2002:a05:690e:d59:b0:648:fecb:1e00 with SMTP id 956f58d0204a3-64970d76f8emr3714927d50.82.1769450366299; Mon, 26 Jan 2026 09:59:26 -0800 (PST)
MIME-Version: 1.0
References: <176529902699.1146491.1360588667931244217@dt-datatracker-5bd94c585b-wk4l4> <CABcZeBOCNZf-mYJ2DM1YTnUAYpvtyc5Ba2qQ6aOmsYhS1y5fvA@mail.gmail.com> <CAHPuVdV4TvP4kHsEC=7K5QNFZUktYCRU44LqJr33fzB5Md+Q1Q@mail.gmail.com> <MN2PR17MB4031E3807DE7137A169C2E24CD93A@MN2PR17MB4031.namprd17.prod.outlook.com> <CAHPuVdWssWuFsZNjKHOXc=sRyEDwAzpbtaUkZuTMvZW0=BXGJA@mail.gmail.com> <CABcZeBMcShiaC-Rrd8zdH=xa4OU2dtKtAVVfZF496t=2qJS-fw@mail.gmail.com> <CAGL5yWY3xqxaxgkNg6sYH_GSSha9tVCbcam59OiEnm=7JAyTMw@mail.gmail.com>
In-Reply-To: <CAGL5yWY3xqxaxgkNg6sYH_GSSha9tVCbcam59OiEnm=7JAyTMw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Jan 2026 09:58:49 -0800
X-Gm-Features: AZwV_QgEjdhT7Wy1Sml1K4kQHwZaxSpEruO63J-QkcIoiLMjssIuJZnKwcH5yuk
Message-ID: <CABcZeBPjGrhE_QD2z7=aEMhE=yZbM_uh1aLpV8g2cg_TxbEoBg@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Content-Type: multipart/alternative; boundary="00000000000088018e06494e448e"
Message-ID-Hash: P6DU3DYXTNOYZKA4HU5ZJAGVVJAH6DQI
X-Message-ID-Hash: P6DU3DYXTNOYZKA4HU5ZJAGVVJAH6DQI
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "last-call@ietf.org" <last-call@ietf.org>, "dance-chairs@ietf.org" <dance-chairs@ietf.org>, "dance@ietf.org" <dance@ietf.org>, "draft-ietf-dance-client-auth@ietf.org" <draft-ietf-dance-client-auth@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, TLS WG <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/M-3PNgnN_xP95T_6Z4OHcjsDLJ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Paul,

Taking a step back from the point-by-point responses below.

The general argument you seem to be offering is that DANCE is intended
for a very limited set of use case where concealing the client's
identity is not really relevant, and therefore it's not a problem
if we leak that identity in the protocol. I don't agree with that
for three distinct reasons.

First, neither the charter nor the WG documents suggests that
this protocol is designed for a limited set of use cases. To
the contrary, the charter is quite expansive, listing:

   In response to the challenges related to ambiguity between
   identically named identities issued by different CAs, application
   owners frequently choose to onboard client identities to a single
   private PKI with a limited CA set that is specific to that
   vertical. This creates a silo effect where different parts of large
   deployments can not communicate. Examples of where DANCE could be
   useful includes SMTP transport client authentication,
   authentication of DNS authoritative server to server zone file
   transfers over TLS, authentication to DNS recursive servers, and
   Internet of Things (IoT) device identification.

This is actually quite a broad scope--and it's not even described as
exhaustive--and I don't agree at all that client identities aren't
relevant for some of these settings, for instance authentication to
DNS servers by user devices. The DANCE architecture document is far
more expansive, as discussed in my review [0]. This document
itself doesn't say anything about restricted scope. [1]


Second, even if we do think that there is a more restricted scope,
it's the WG's burden to do some real analysis to demonstrate that
that scope has more limited need for privacy properties. For example,
just because devices have names that are meaningless doesn't mean
that revealing those names isn't a privacy issue. For example,
consider the case of some sort of personal device such as a fitness
tracker, which connects back to the vendor to upload data. Even
if it identifies itself solely by serial number, knowing that
serial number allows an observer to link up multiple transmissions
by the same user, which has obvious privacy implications.


Finally, while I agree that in some limited applicability cases, we
make different security and privacy tradeoffs, we typically only do so
once we've satisfied ourselves that it's not practical to design a
system which has more generally appropriate properties. In this case,
we have an at least potentially viable alternative design, with the
main objection being raised that it involves more burden on the
client. It's possible that that's actually prohibitive, but it seems
like at minimum we should be attempting to determine whether that's
so, rather than just assuming that it is.


-Ekr


[0] https://mailarchive.ietf.org/arch/msg/dance/RLSNjxjwhGCPxdTw-gtLMcOFg0c/

[1] I think this also addresses your point about how this should have
been raised at chartering time, because, as noted above, neither the
charter nor the drafts plainly indicates such a narrow scope, and so
this objection wouldn't have been timely.

On Mon, Jan 26, 2026 at 9:28 AM Paul Wouters <paul.wouters@aiven.io> wrote:

>
> On Mon, Jan 26, 2026 at 11:51 AM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>> A client looking up SVCB records does not expose the client’s identity.
>>>> EKR pointed out that this doc explicitly has the server look up the client
>>>> identity.
>>>>
>>>
>>> Yes, I was speaking about the general topic of not revealing domain name
>>> identities on the wire (for client or server). TLS 1.3 wants to do both.
>>>
>>
>> As I said in my previous response, TLS 1.3 already. protects the client's
>> certificate,
>> so you're introducing a privacy regression. The situation is entirely
>> different with
>> the server's identity.
>>
>
> The use cases involved do not have endusers with privacy concerns. It is
> already known that a zonewalk can get you
> all the x509 information and a query log to a target gets you a mapping of
> tls server/clients doing such dance based
> authorization/authentication. The fact that TLS itself got a privacy bump
> does not really negate this use case or add
> further compromise of privacy of the devices.
>
> That is, these deployments care about content encryption and
> authentication but don't really care about mapping out
> client identities to IP address (via either IP monitoring, DNS query
> monitoring, or TLS handshake leakages)
>
>
>>> > At one point we had considered whether the client should look up
>>> > its own DANE information and send it in an extension (the opposite
>>> > form of RFC 9102: TLS DNSSEC chain extension), but decided that this
>>>
>>>> >might be too much complexity to impose on the client, particularly
>>>> since
>>>> >some of them might be resource constrained. That topic could be
>>>> revisited.
>>>>
>>>> I think you should. A key point of TLS 1.3 is not to expose the client
>>>> identity.
>>>>
>>>
>>> Ok, I'm pondering this topic. Requiring the client to implement a
>>> complex DNSSEC chain extension like mechanism will likely be a significant
>>> barrier to implementation I feel.
>>>
>>
>> The discussion of barriers to implementation might be more productively
>> had
>> in reference to some specific deployment scenario. Who is presently
>> planning
>> to deploy this and in what settings. Would this be an obstacle to them
>> deploying?
>>
>
> The target audience was always those who don't care about leaking SNI or
> client identifiers.
> These would also typically not be endusers, but a container full of IoT
> devices where for
> example a CN= is pretty meaningless other than as a unique identifier
> mapped elsewhere
> (eg within the inventory system of the fleet manager for these devices(
>
>
>>
>>  Especially in cases where hiding the client identity for the application
>> may not be that important (like a warehouse full of machine identities).
>>
>> We generally don't design security mechanisms for this kind of limited
>> scope
>> deployment, at least without a very prominent limited applicability
>> statement.
>>
>
> This would have been a great argument for a BoF or Charter, but we have
> many years past that discusion.
> The fact that TLS 1.3 is a bit more secure than TLS 1.2 should not mean
> this use case is now somehow
> "not allowed anymore".
>
>
>> I would observe that the DANCE architecture document makes quite
>> expansive applicability claims which would clearly be in tension with this
>> kind of limitation.
>>
>
> That can be addressed in that document.
>
>
>> Careful use of encrypted DNS resolvers can also mitigate this and could
>>> be a recommendation.
>>>
>>
>> "Careful" is doing a lot of work here, given that we don't really have
>> any kind
>> of generally applicable mechanism for securely determining an encrypted
>> resolver, let alone protecting recursive to authoritative.
>>
>
> It is common for IoT devices (eg google chromecast) to actually leave the
> factory with preconfigured DoH
> servers to use. It is not that far fetched to imagine other IoT devices
> would do the same, especially since
> these are deployments of IoT devices that are truly fleet managed with
> central provisioning, and not general
> purpose enduser devices.
>
>
> Paul
>
>
>> > As a bare minimum, if no changes are made, the security considerations
>> should make this exposure explicit.
>>
>> Ack.
>>
>> >could also probably shore up the language to mandate the use
>>
>>> >of the extension (non-empty), instead of allowing it to be omitted
>>> >if the certificate only has one dns SAN identifier.
>>>
>>> That seems like a good idea.
>>>
>>> >> Below you say that the client MUST supply the client identity
>>> >> extension if there are >1 SANs but what is the server to do
>>> >> if the client does not?
>>>
>>> >The server should abort the connection with an error (and maybe
>>> >a tailored TLS alert needs to be defined).
>>>
>>> You probably do not want a custom alert as that gives out too much
>>> information.
>>>
>>
>> Good point.
>>
>> Shumon.
>>
>>

v2.37.1 | Report a Bug | By Email | System Status