Re: [TLS] I-D on TLS authentication with VC
Andrea Vesco <andrea.vesco@linksfoundation.com> Fri, 05 April 2024 10:12 UTC
Return-Path: <andrea.vesco@linksfoundation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52748C14F6B7 for <tls@ietfa.amsl.com>; Fri, 5 Apr 2024 03:12:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=istitutoboella.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8QMUonta3dt for <tls@ietfa.amsl.com>; Fri, 5 Apr 2024 03:12:38 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2130.outbound.protection.outlook.com [40.107.20.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAFA9C14F6B5 for <tls@ietf.org>; Fri, 5 Apr 2024 03:12:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aBPfd0Qz9q3wpOSOHT55Fny89oGFNG3EwQIObTu1MdtnIR+sTjUz8z6aJT21CgHLsjT9HrGyRdrUI9ShzmnFWto7MG9L7I8akY4ZEImtpMNLA/GIxRVIyApMtC2UVhrLAJ7S3lzxrjtyLl7U6ff11ZbAAcT+UELmSwC9ExnqTb6NNE6EhvS+CG7d/10hW+T0lgvP/OQcb1YTY2/ghjnJTyqT9IUftlYeE0C1ugcjq/Croy0C2idYojaTA7Go9xZic6ig7gHuZJUJjtaUS9EcCo3kQpieTQaR5CgMDrV5tVUhSJhlpCzx5sT1asNJvAnUNBhm+TfmRgZJ4bVpe3UZsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TVG7YDwGKBUyq/RG2l2dyc8DfCf6eMgM1JuNOOwAbms=; b=KAMuVjfsT0fQzyNWEbYXuzwcOlxGu3hbom7HCKFVPmoI73Fd4hOAUfOvABEG86T+FBUYKpj5Ukg+iUOardzklEB7Wq13cSD6w7PeVu2gpp3WPqYtYFZS5PPC9Kit25G/7KOCydiRMuATiTS5KseNZ1pz6ZmqxWEC9hocAiB+wtQfNzRbpNGmiIP7qBJTbvzDvTd0/lHM3ZaD9Vc+A+OFISnoZQkW0nkrlY+/okKTI+FADRWpfoYKZS9trmhn/JZhciuqDc1M/BN9xxpO/OxRABsHHhijKGixnZrcSxoMS9RiVd7/Yb2WQKeiWKBTav28kWMZZ6Oi9io7fUa5KP21YQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=linksfoundation.com; dmarc=pass action=none header.from=linksfoundation.com; dkim=pass header.d=linksfoundation.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=istitutoboella.onmicrosoft.com; s=selector2-istitutoboella-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TVG7YDwGKBUyq/RG2l2dyc8DfCf6eMgM1JuNOOwAbms=; b=T/PEU/sp09O2dpvCuOzZCM3EGrTftMX0urar/05pS4b6BN4RQCYP9+yJsOq8Abygq6+DhcjAKU/oaHhLtCxdEVQ6nw+YDsoeB88EdoyXWpCOeLFBQ+O34i9zn6ZpLbTS6gMBPwXvaheOmN1iF+dmsDbxgh6hlcOl5kM9koSbZmY=
Received: from DB9P195MB1130.EURP195.PROD.OUTLOOK.COM (2603:10a6:10:268::18) by DB9P195MB1516.EURP195.PROD.OUTLOOK.COM (2603:10a6:10:337::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Fri, 5 Apr 2024 10:12:33 +0000
Received: from DB9P195MB1130.EURP195.PROD.OUTLOOK.COM ([fe80::8fe7:f255:db56:97af]) by DB9P195MB1130.EURP195.PROD.OUTLOOK.COM ([fe80::8fe7:f255:db56:97af%7]) with mapi id 15.20.7409.042; Fri, 5 Apr 2024 10:12:33 +0000
From: Andrea Vesco <andrea.vesco@linksfoundation.com>
To: "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] I-D on TLS authentication with VC
Thread-Index: AQHahm2PeEwqmzllRkOVJ3YJ0byftrFX6QuAgAGNmQA=
Date: Fri, 05 Apr 2024 10:12:33 +0000
Message-ID: <7636CB52-2A8D-4851-88E9-1DA86196A3F2@linksfoundation.com>
References: <F515427B-EE5A-4514-9787-8BB3F95FC380@linksfoundation.com> <01d001da867a$f43dbdb0$dcb93910$@gmx.net>
In-Reply-To: <01d001da867a$f43dbdb0$dcb93910$@gmx.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3731.700.6)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB9P195MB1130:EE_|DB9P195MB1516:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8Qel7+r9Xjqb3mK3X9feU1xIMCJVP7sblTp9cRh5A3F6WxbC1ehQ0WAS5R/xQYeCwe9h6mXAX4cGlGVN13zsxRfqBSNnpvz3Mno/7/M22Av0j90wWlrE4q9gLPGP57w4neH+KRBVLB1SQIG8aSqLD+obkT7wKAnj9hBK8G1QFNxtl2cFGCb4Y+lw+/o+6CbFq/Ic65YpOe2hAzHGpZh4RT9MWKiPkvU2niK9Wmlw8wyX2twT8Yx+dVUhBXLnCoywcxmSupg4CeMlSzG/IJd04MsqGedrU+5scKTrPFkcvcSvWckdWVY7tg9U/MvwVn3K7fp3qFd4YK9PxsCuhMT4Vcvj+lxJAsAHp+/HUgLAkJ8okQWs3Tf3pdDiO/lIHB3VOa/qLWUg5fT7N8RP2JnB14uqoENG7PexPCWeRrCqUUo0vbIeIsyPYLsUKe9ycm0lA+vEUgPvliJs0dfi+SbBqsqcbBy37hsxKtvHCJplaK5jWm8f8VhTufLM+S3Wxtuh9IzDmIWu+zcAI9WTtPmziUuZAZE8gwVJqcKHL5Zr9zErDB86SjIf0UYXVuJHZnr7qHU0qHYIWk1ve/RvJ1A54umvY3VVz9WbFulpx7X8AZI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P195MB1130.EURP195.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(41320700004)(366007)(376005)(1800799015); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: w2pZ6vIWAPeVRCPVEzgyEzoK1NRuIisz31mKCUDrDmlleDtISw9KmxmcTkxvmIw284zMZDl0GP5CEZzx1jSgDM4CwtIDVYimq464s5GeYpeIc+pJ31Vgk9wS8/nBSvLFaV4HhOqsJio9Wj6VWBbpeJf/6m0sOqHDAVKIo4gzITaNfgrpzyjdcsZ8KPipsJFrUesDl7BEPmXcA7Iep2g8S0sPLsBHy/rzjQhiP4Cdg43biH+VB2BhhndGkgzWMZmjpMiU9l6aCvBkDxUTRh6Xnq4sJYuOaImwQwHUmt3j0HvIjaeoGbGpeMDgTTVitxUw/BGr6t8BgQdhYPpPtEff0M8jUby0nlgKfTF8kSpYAF6n/UHgf8TdDg+YJ3UiUpP1bLJhUdRESrG3BZ8ZAOMqHWfG1mAVrcMLSXOq4VDwLJH2SCCyfaKibWva4IhqNchtpcKEFm69W38OOyAx3eNOg9+wpjFX1UP6SPICjwd1GuhFwGxmgWNj/qL3ZN8qt7CaCJNK+UsK2NNGo9hI5KEC2+faQHohMcdN2WRX48A1eIl8ObnxL9Q2r7EhcpZQvcIzHos7c0DnbBnPQNfCSgZ6B8X+W6KSiaOrfx1U61qYeQexz6PiRZ9XZH8wbMG10R30xh0sLayELKV4n2+5I7LV59frMjoC+oZSZdFUvS+11JpsUhNzHd1Kdb80TcZOEnzdN8SrRZXFEdeIVziBbJQOWN/8FxNvKiDNyBamiNCxLGJIIblCMcnBNcgwdhhTxA9s5ChqT8LCtGOXLsvfnfr0FKDW3nl1B9JppLYoxSDcKIwJd1ray7Pgwjcnn39odmJwIsjzf+MunvWqhBKtQHwh/O3iIz2k76bacND9haZKgTlMdntQTVB7xEkzqdfC0CY+Ht1WNgUwJQB/gNl1E9ubmJXWqf4AaRw04FQdMUbvLroChfx+yUgQzDNJiHzFvwe32MGrdiB5TRPvb4i2poULBd4w5fbXolhAKQYMX3qqW+VaaMn4aEYxb50bAOWW+jxMnERcs2VgRf58qz7PpPkCFPdOyFrYjlOJ2zT7q4RifvWpR22Uum1Tfg9P3CAnDlw98HkGey4sglyAN0G/I62zoy+m4zCzBY3In92XX3ed/UxYf/nczYNwxYMwtW0aJQBsbNJYNgbVU/NmFu8FLJY205rckDc7TLwfd+Cpon30EkQu4K0obnrKlSfsmGcdBT8z/GCFJFGxbn+0KQdW+wnDv5pjbQc3DRAyRrYH5A0lU9j4Ya/U/nK/wkOUBthrFgrfbLMvNUdAeijOa2NsX6TvhX+VIRuQ0Oo8JQFwiTCJ0lqrsAI5UeKsFtjVv2/KpTlezZXczNxfRybEZ1aHrR/r5Vnarql3gFRuOw0YBgaAMgLMypwIFYRz1cEf7GpbuYsIfg+XSus4suvU+fXjFWntLaMxhQk9izz1LJzO/P7NEH12Z01o9svwg5eCnltpmci0HP76Y7BMVeyVjrWbeh0Uqsr/3AUbTiGFnLIjT6cJ6ZN1B0Dl8CIoWAvcdHxZuHu2QPfQxSgKuTxqmf5XdL7cgYmi62VYmFBsaE8l2QPIEk66g0gsN43ivt4XyZB1/Yy1ipXwhZXD1MeIADKmxQPNlNq4qfMkNOdMG5e6wxYfjDM=
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C1ECA4C176FC1B40AACBDDF54ABACFA4@EURP195.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: linksfoundation.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9P195MB1130.EURP195.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b87eeb43-019a-4ca5-1508-08dc5558e8c9
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Apr 2024 10:12:33.0712 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46a5eda7-5583-400d-805d-330f6efe08bd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vxm7A8Jc9a3GnBFWs5dLPpUAZaVnJnyWTIGKRmIOvDNWtr9oEP7AEGaVrKPhTrQaWiXw9j7AIG03hX7JjiJAvfIhuDwN++098LYIYZHIi5V8aeOCbwTJeIi3eufH6qg6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P195MB1516
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kslIZ_N7XgK_QLIOUL0jOi1KQMM>
Subject: Re: [TLS] I-D on TLS authentication with VC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 10:12:43 -0000
Hi Hannes, thanks for your question. We are referring to a (well-resourced) IoT system with edge computing nodes. In the IoT/edge segment, the VC can be used for mutual authentication directly in TLS to avoid the only option available today: first establish a TLS channel with X.509 based server-only authentication and, second, authenticate the client with its VC on top of the TLS channel. The Client authentication at the application layer works well, but in our opinion, only in web scenarios. In addition, using the client_certificate_type and server_certificate_type extensions would also enable the option of hybrid (VC - X.509) mutual authentication in the edge/cloud segment at the TLS layer. In our opinion, this is an incremental approach to support the adoption of VC and DID technologies in IoT systems. Best, Andrea > On 4 Apr 2024, at 12:29, hannes.tschofenig@gmx.net wrote: > > Hi Andrea, > > Thanks for sharing the info. > > Could you say a bit more about your IoT use case? > > Ciao > Hannes > > -----Original Message----- > From: TLS <tls-bounces@ietf.org> On Behalf Of Andrea Vesco > Sent: Donnerstag, 4. April 2024 10:53 > To: tls@ietf.org > Subject: [TLS] I-D on TLS authentication with VC > > L. Perugini and I have written an I-D on the use of Verifiable Credentials [1][2] as an additional authentication mode in TLS. We presented the I-D to the ALLDISPATCH WG during IETF119 and the outcome was to explore the potential interest of the TLS WG. The I-D proposes to add (i) a new Certificate Type called VC in addition to X509 and RawPublicKey to the existing client_certificate_type and server_certificate_type extensions and (ii) a new extension called did_methods to carry the list of DID Methods supported by the endpoint to resolve the peer's DID during the validation of the Verifiable Credential. The I-D focuses on the IoT use case. > > We are aware of the current discussion in the working group about new code points and would like to know your opinion in the case of this I-D and to explore the possible interest. Thank you in advance for your feedback. > > I-D: https://datatracker.ietf.org/doc/draft-vesco-vcauthtls/ > Code: > - Provider https://github.com/Cybersecurity-LINKS/openssl-ssi-provider > - OpenSSL https://github.com/Cybersecurity-LINKS/openssl > > [1] https://www.w3.org/TR/vc-data-model-2.0/ > [2] https://www.w3.org/TR/did-core/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] I-D on TLS authentication with VC Andrea Vesco
- Re: [TLS] I-D on TLS authentication with VC hannes.tschofenig
- Re: [TLS] I-D on TLS authentication with VC Achim Kraus
- Re: [TLS] I-D on TLS authentication with VC Andrea Vesco
- Re: [TLS] I-D on TLS authentication with VC Achim Kraus
- Re: [TLS] I-D on TLS authentication with VC Stephen Farrell
- Re: [TLS] I-D on TLS authentication with VC Achim Kraus
- Re: [TLS] I-D on TLS authentication with VC Hannes Tschofenig
- Re: [TLS] I-D on TLS authentication with VC Stephen Farrell
- Re: [TLS] I-D on TLS authentication with VC Andrea Vesco