IETF Logo Mail Archive

Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 25 June 2022 19:13 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A41C14F734 for <uta@ietfa.amsl.com>; Sat, 25 Jun 2022 12:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.055
X-Spam-Level:
X-Spam-Status: No, score=-5.055 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=2.052, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6G-9I6JlI8EP for <uta@ietfa.amsl.com>; Sat, 25 Jun 2022 12:13:33 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4C1C14F727 for <uta@ietf.org>; Sat, 25 Jun 2022 12:13:33 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id h5so3565391ili.3 for <uta@ietf.org>; Sat, 25 Jun 2022 12:13:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version:content-transfer-encoding; bh=dYwEFxVQreBoHWqkVtE9FA83SggL2WAUvDHHrFNSd7A=; b=A6uNtPpRDXrHdBf9DdwKg0jfaMGatQDFXXrMtSwgkusJEXC77SV+i959juDY8HNPz9 dZb0La3AAelp65b4xWY4rLZNoXo4T9ARkOoy4zCRbUVBmc/0KPT7L/7I9/VjE7KIEcJ7 la/JhtDXWa6ylAeaL3c2rCPtqxS1bMhpVyRhp2Q5F4daxYQcwbl798H6a5UxGG0Ab5RC wSqiAYIpKPwwzn+IJaFV2A1kJzW/4OUyEgO1lH27aOBABymt3MfRiSqiHNOmBJEOVTFE 44FKbp2l0RpGBUN1N/dGUq/6epwJtqIZ9ZMLmWFHmsaV9mztzZAU6ZHnxp7zoc0ixSI+ vI2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=dYwEFxVQreBoHWqkVtE9FA83SggL2WAUvDHHrFNSd7A=; b=cYB+XfzsBOXSZ1AIWclshS0IGgBAP/vaOwQD9KqbLm6HqXr6yiWR4otDPvHfb0crr7 brAI7OdvVa2oR501FRiR0qrfAvIyCVmaivpPUbtq3ri+lJ0OwAp+2wzFy3oND7qvABuy CNlFlW7zPJdcwcrRjNrc+qrMRXF6Z9eblIkkxe2TdrcT+AVYPGR51mfdGZDGaQKC28ow f3wvIRRFccaGXelMjQxz5zf2CUAaGLpPY35bwyg/3NoCFDB8kiKq9qsBk+EGCtlsre12 RYICq+RT87CLVb2j2yVsVaBsgHaIjyvgIjs0Lo9QA8rs01NNF9pWTQ7z/albi7p2uAzx HG3w==
X-Gm-Message-State: AJIora921UnFiLeK95TR6umcdMGxPMZlfo2zMSFCxxfSxSQMjSMpYAYU JL8KzjmeJxKS2flvitFjwbkCBwswXCk=
X-Google-Smtp-Source: AGRyM1tgJyUJ/1SMu2jvSnXq5kKz6cSAsctIsNRXQ3JW5TJ9kt+T/Q9baUwhIUirT8qTnPouAaC9YQ==
X-Received: by 2002:a05:6e02:1a89:b0:2d9:2feb:da69 with SMTP id k9-20020a056e021a8900b002d92febda69mr2949958ilv.189.1656184412187; Sat, 25 Jun 2022 12:13:32 -0700 (PDT)
Received: from [192.168.68.106] (IGLD-84-229-147-215.inter.net.il. [84.229.147.215]) by smtp.gmail.com with ESMTPSA id a4-20020a056638058400b0033202bb9829sm2711359jar.49.2022.06.25.12.13.30 for <uta@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 25 Jun 2022 12:13:31 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.62.22061100
Date: Sat, 25 Jun 2022 22:13:28 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: uta@ietf.org
Message-ID: <DF17FC56-87DB-4002-B84F-A81B3AE99F83@gmail.com>
Thread-Topic: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
References: <002e01d87e9c$78a002e0$69e008a0$@smyslov.net> <032e01d8878f$c2e8f630$48bae290$@smyslov.net> <A7E6035E-7BCF-4BB3-BB87-D261ED98532D@gmail.com> <YrdXuGgMKMM+gKJn@straasha.imrryr.org>
In-Reply-To: <YrdXuGgMKMM+gKJn@straasha.imrryr.org>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/6XSvnpSB1ZXxD-4pEZdEQdTnQR4>
Subject: Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2022 19:13:37 -0000

Hi Viktor,

My question was about identity validation, which is what 6125bis is about. So it's a subset of your second option, "validation of certificates". And yes, this boils to, are DANE-based EE certificates expected to adhere to the draft's requirements.

And the reason I raised this question is that the draft defines its own scope with these words:

	This document applies only to service identities that meet these three characteristics: associated with fully-qualified domain names (FQDNs), used with TLS and DTLS, and are PKIX-based. 

I wasn't sure whether "PKIX-based" should be interpreted to include DANE certificates.

Thanks,
	Yaron

On 6/25/22, 21:45, "Uta on behalf of Viktor Dukhovni" <uta-bounces@ietf.org on behalf of ietf-dane@dukhovni.org> wrote:

    On Fri, Jun 24, 2022 at 07:04:28PM +0300, Yaron Sheffer wrote:

    > * Similarly, it is not clear to me whether certs obtained through DANE
    > are in or out of scope.

    I may be able to help, but I am struggling to understand the question in
    sufficient detail.  Can you be more specific about:

        - What do you mean by "certs obtained through DANE" (typically the
          certs are obtained from the TLS server certificate message, and
          matching type Full(0) certificates in the TLSA record are very
          rare)?  Even then, these are semantically not much different from
          those sent in the server certificate message, other than being
          asserted or required trust anchors.

        - Did you perhaps mean *validation* of certificates (received in the
          usual way) via DANE TLSA records?  That is, are DANE-based
          expected to adhere to all the normative text in the draft?

          The main thing that's different about DANE is that in some
          application protocols Unknown Key Share issues are not believed to
          be a concern.  And in these cases EE TLSA records that specify
          only the certificate or public key hash validate a presented
          certificate with a matching public key regardless of lack of
          matching presented identifiers or inception / expiration dates.

          Validation via DANE trust-anchors is the same as validation via
          local WebPKI trust anchors, except that in the case DANE-TA(2) the
          trust-anchor certificate must appear in the server certificate
          chain when the TLSA record provides just a hash of its SPKI (or
          even just the SPKI, which I expect some implementations might not
          support, though this is supported in OpenSSL).

        - Either way, what is it that might then be in or out of scope?

    -- 
        Viktor.

    _______________________________________________
    Uta mailing list
    Uta@ietf.org
    https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email