IETF Logo Mail Archive

Re: [TLS] I-D on TLS authentication with VC

Achim Kraus <achimkraus@gmx.net> Fri, 05 April 2024 11:35 UTC

Return-Path: <achimkraus@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC038C151071 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2024 04:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRKPp_qpXkKo for <tls@ietfa.amsl.com>; Fri, 5 Apr 2024 04:35:38 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A0A3C14CF17 for <tls@ietf.org>; Fri, 5 Apr 2024 04:35:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.net; s=s31663417; t=1712316934; x=1712921734; i=achimkraus@gmx.net; bh=fckMa2X88XwA1p56hIIppV8oR26/0USp9WCp6l1GrYE=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=CLVp9LdF01HUiLKq9DsH+Jw/BHpj8kmaOkWZHN7BQDQ26c9KEC0+jW14sTGL4cFw P6bDGq45O+xp2fxyRlfDe/Y+5UXqh6UwSU/605aY4cH7xTiUpk8NjWyRUVPbBzp05 FoAdAOJowd2bBKPMTOFteT6Ng2dbIOH9rGdBpj58uLxN/aRGPkoOtSQ3KB5DjokFb Zr7V569Zhhg6MOcpkp/jXqP3gX7kASr54i75qWvZbh0FLB0n8XbhkQ/0hqRdTkFGo qyKTs17A3+9vCPWwGsJLjZumb1auqBwaVwF7QN4351DCGZefoHUmtV5qpoawWHeh8 Qq3+Ek2p0feIyjcEvA==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [192.168.178.10] ([88.152.185.155]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MQMuX-1sENbr1cW1-00MOCU; Fri, 05 Apr 2024 13:35:34 +0200
Message-ID: <01cf5f68-2697-4e71-9ec4-1f5fee33f16b@gmx.net>
Date: Fri, 05 Apr 2024 13:35:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Andrea Vesco <andrea.vesco@linksfoundation.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "tls@ietf.org" <tls@ietf.org>
References: <F515427B-EE5A-4514-9787-8BB3F95FC380@linksfoundation.com> <01d001da867a$f43dbdb0$dcb93910$@gmx.net> <7636CB52-2A8D-4851-88E9-1DA86196A3F2@linksfoundation.com>
Content-Language: de-AT-frami
From: Achim Kraus <achimkraus@gmx.net>
In-Reply-To: <7636CB52-2A8D-4851-88E9-1DA86196A3F2@linksfoundation.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:/jJVGsduuexJ2uLFu0d+qwuwsE3ZqKaRAQAdJ9sBNxkZnoDcd1X L0sr0uxr4ddg1kqGWl2IZzAnqlwL/8eO0Cu7T5giHJLNFUa/p1+IUX2r3aEwQ7/V4Ey5yqs 9qF8AIK2H7NRJkOiP6QQwODYLoobRFug5ZCkBnIbr+exTwfcvM813ajdbY8RR5VjLMd7aet Kz+GgETR+pdC3atrXGOfg==
UI-OutboundReport: notjunk:1;M01:P0:JIIB3r6z6AY=;Ushk+Yfet6DV1Kk+d7Zg0xsJAdg umjx1cXuwXvEZgNOY15PHrSjMRm6UPZYLzDxX8Mbfq/AEnNRtSGC9+/LhUIs+OTSYMXAgby1u YfEtt2DmNn+NIKzbfmD28xl/aNnZ1yMAhX7uqjn5TtTjnLxBpJUJ0q0v694fe5XgX5Q+tPoG8 NC0gpNdhlJxF0Zpbwg3mFD5bqykv5UI2I18RmHqf0jcTVxoTs2QhzeRBrWX6umHOKIuPjV8h7 U9pqOmYf0GXA/qh2ReY2J/dZkB4cBSaZUPP+rAwOE1ICmX9IOw1v7ZQQeI5Tso4cw04kuwkMA lIhDGDz/+arpWlH0W6kD6tLdRCmK4zsT9J7sMFKljUHzpDQLVZw97G2RmXSpClPKYYR8tlwIy g/GUxoOr6z/w0MkCtE8wC+3chyFn8UvdFic4hLIEStQQJ0ouvj+trmqWe6sYWgjDM2HW3eXlH H6flcZqRzhXhgQoOQwVKE7KTS7i/QcZa6S+aubDzMLV4b5cIXONUBTfbgW3CTX2ovPBtCDgXA xBn8cynP0jO6uvBGMdISVn9Uc5vhHUeEFrA2+rD2Q+4LfExUC08kLv2MyTI/gyVIgxPmH9zsG 8WJ5p46tTBP4SW7BSXa7896rvblX5eyfxJUU1zWG1FIRENUrbd7z16jNQ1tb+R8TboRX2ikSY ifJGLu4F4ALKMhpNNwrJEOKO61DAp+yEqmuxN6N39vod5FUCngK4PhduicPtQAROeK0f/bP7M cpQykAstk03BL2MM+ybFcE5rkfyZSb2pYo9rDn7qkdCiBM+CCQxcfoNiOXHwJSvqtGP2Rm+ZI AVomBKza9l59eBgA/jQGSnn0cOMmxkQ2QPOSRERUBioYQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WwP8NJQBp-c-IMop0qrJNMRv06Y>
Subject: Re: [TLS] I-D on TLS authentication with VC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 11:35:38 -0000

Hi Andrea,

 >  to avoid the only option available today:

That wonders me. I think, what is more in question is the comparison
of the new certficate type with the two currently used ones (x509 and
Raw Public Key). Reading your link, my first impression is, that this
is pretty similar to x509 but in json. So talking about "only option"
seems to be a little over done.

best regards
Achim

Am 05.04.24 um 12:12 schrieb Andrea Vesco:
> Hi Hannes, thanks for your question.
>
> We are referring to a (well-resourced) IoT system with edge computing nodes. In the IoT/edge segment, the VC can be used for mutual authentication directly in TLS to avoid the only option available today: first establish a TLS channel with X.509 based server-only authentication and, second, authenticate the client with its VC on top of the TLS channel. The Client authentication at the application layer works well, but in our opinion, only in web scenarios.
> In addition, using the client_certificate_type and server_certificate_type extensions would also enable the option of hybrid (VC - X.509) mutual authentication in the edge/cloud segment at the TLS layer.
> In our opinion, this is an incremental approach to support the adoption of VC and DID technologies in IoT systems.
>
> Best, Andrea
>
>
>> On 4 Apr 2024, at 12:29, hannes.tschofenig@gmx.net wrote:
>>
>> Hi Andrea,
>>
>> Thanks for sharing the info.
>>
>> Could you say a bit more about your IoT use case?
>>
>> Ciao
>> Hannes
>>
>> -----Original Message-----
>> From: TLS <tls-bounces@ietf.org> On Behalf Of Andrea Vesco
>> Sent: Donnerstag, 4. April 2024 10:53
>> To: tls@ietf.org
>> Subject: [TLS] I-D on TLS authentication with VC
>>
>> L. Perugini and I have written an I-D on the use of Verifiable Credentials [1][2] as an additional authentication mode in TLS.  We presented the I-D to the ALLDISPATCH WG during IETF119 and the outcome was to explore the potential interest of the TLS WG. The I-D proposes to add (i) a new Certificate Type called VC in addition to X509 and RawPublicKey to the existing client_certificate_type and server_certificate_type extensions and (ii) a new extension called did_methods to carry the list of DID Methods supported by the endpoint to resolve the peer's DID during the validation of the Verifiable Credential. The I-D focuses on the IoT use case.
>>
>> We are aware of the current discussion in the working group about new code points and would like to know your opinion in the case of this I-D and to explore the possible interest. Thank you in advance for your feedback.
>>
>> I-D: https://datatracker.ietf.org/doc/draft-vesco-vcauthtls/
>> Code:
>> - Provider https://github.com/Cybersecurity-LINKS/openssl-ssi-provider
>> - OpenSSL https://github.com/Cybersecurity-LINKS/openssl
>>
>> [1] https://www.w3.org/TR/vc-data-model-2.0/
>> [2] https://www.w3.org/TR/did-core/
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email