Internet Engineering Task Force 112, 12 Nov 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF112-DANCE-20211112-1200

Description

DANCE meeting session at IETF112
2021/11/12 1200

https://datatracker.ietf.org/meeting/112/proceedings/

A

It wasn't disable your sound if it wasn't like your sound was disabled. It was the button for I can silence you, so I'm still getting used to all these, like slightly different user interface, when you're a chair, yeah.

B

Yeah, if you haven't carried anything in a while, it's a little bit different.

C

The locking queue is new and it's really nice yeah.

B

We'll give it another minute or so since I still see the numbers slightly climbing.

B

I don't think our agenda is that tight.

B

All right now, I no longer see it climbing. So let's go ahead and get started. This is the dane authentication for iot service, hardening and or dance. uh Actually, that title is the old title: isn't it um anyway? I am west hartaker, I'm here with my co-chair paul wooters, that is the mailing list, and that is our official icon for ietf112, hopefully I'll find other official icons for the future.

B

As a reminder, I'm sure you've all seen a slide like this for many times during the course of the week by participating in the atf you're going to agree to follow etf processes and policies, and you should be aware about contributions that you give to the etf and.

D

B

Patent related uh decisions and things that go along with that, I'm not a lawyer, so I won't try and summarize that more there's a bunch of bcps or best current practices that are about that in particular, including anything from internet standards, process to working group processes to anti-harassment to the code of conduct, copyright and patents, specifically on the code of conduct.

B

One of the things that we are trying to do is make sure that all members of the atf are welcome to participate and are treated with respect. Please do sleep speak slowly. We english is not the native language of everybody dispute your ideas by reasoned argument, not by emotional statements. I think that's something that I was just talking to high school students about this week.

B

It's a good rule of thumb um and use engineering judgment find the best solution for the whole internet, we're not here to design just corner cases and then contribute to the ongoing work of the ietf by participating in the mailing lists and the general discussion of pushing the all of the work ietf forward over time.

B

It's not a single meeting do be aware that all of these rules do apply to the jabber meet echo im system, 2, not just the microphone, because everything is logged permanently on web archives and also in youtube for working group information. We have a data tracker, you've probably seen it, and the purpose of dane in particular is to extend dane to encompass tls, client authentication, which is what we talked about in the boss that we had about how to use certificates to do client, authentication and not uh everything under the sun.

B

That's where we're starting the mailing list. Information is there. Hopefully you are all subscribed.

B

The mailing list has been kind of quiet, it's time to stir up the pot a little bit, and hopefully this meeting will be able to kick that off as well, and then there are three drafts that we'll talk about today as well to bootstrap our working group. So welcome to the inaugural meeting uh the chair, introduction uh is being done. uh Tim has agreed to take notes and is hopefully in the medical or in the um notes.ietf room right now.

B

I see he has notes in there already, so that is working. Is there anybody else willing to be a backup, note taker that can help him out.

C

I would just say not even so, much backup but just watch what I type about you, because people type a little faster than I type. So I sometimes you know miss stuff great.

B

Is there anybody that can make sure tim doesn't get things wrong, how's that so I.

C

Figure, the speakers can, you know, double check what I'm saying about that yeah. So I.

B

Will certainly try and follow some too, but.

B

David lawrence, can I call on you.

B

You calling on me yep. Can you back up tim on notes? I suppose I could do that. Thank you. It should be really just watching tomb type all right. Well, thank you to both.

E

One of my favorite pastimes.

B

Oh yeah, it's not my it's not mine either! So all right, so our conversation this morning we'll talk uh the way we've structured. It is we're. Gonna talk about use cases. First, I think one of the things that came out of the buff was uh people weren't, sure exactly how it was going to be used or where it might be deployed. So we've put together three use cases this morning for how we expect the dance, outputs or the tls client usage to work in um in.

D

B

Mechanisms and then ash will talk about the architecture document that he started. Thank you so much for getting that started uh ash and then uh schumann will talk about some of the existing solution documents and we'll end with any remaining time for um for open mic if there's future follow-on stuff.

B

Okay. So with that, I think we'll turn it over to bill.

E

So I'm going to hit the ask to share, slides and see what that does.

E

One of you guys now need to hit some button or something uh did you.

B

B

Oh yes, here it goes. Okay,.

E

Oh great, okay, so that's the uh let's see that one I guess share!

E

No, not that one! Sorry.

E

Actually here well, let's see just ask to share, screen and see if that was working.

E

No, I didn't change my mind. Yes, I want to allow oh.

E

Where were we there, we.

D

E

Sorry view slideshow there we go. Everybody sees that okay.

E

Yes, great all right, whoa, now it's uh advancing automatically all right. So um basically, I'm not gonna try and go into any great technical detail. I'm happy to answer any questions um uh in q a so forth. I'm just gonna try and give an overview of the use cases that I am aware of. So one obvious thing is that using dane to secure the dns is a demonstration of good faith, eating our own dog food etc, and it's feels to me kind of ridiculous to do anything else.

E

So I think, as a matter of principle, we should be using dane to secure the dns in addition, ca, certs or one of our big known vulnerabilities. At this point, the ca cert system is trash, and anybody who wants to see a cert saying that they're somebody else has no particular difficulty getting it at this point, and so those little green, lock icons don't actually mean.

D

E

And I sure, as hell, don't want to be depending on them for the dns as well, although that's kind of where we are right now, so uh there are obviously people who ask. Why worry about transport layer if we've got and then security in dns?

E

So dnsec is fine if you actually validate in the client, but nobody does and when I say nobody, I mean you know it's not built into the os in mac or windows, or you know, most unixes and uh the zone data was protected up until the point which it was signed and that's that's something I think a lot fewer people have visibility into, but um you know we do and what we see is really scary.

E

um So I think uh we we really need automatic tools there, um things that are applied by default, rather than assuming that the people who have the unsigned zone data are fully capable of defending it against attack and dnsec is fine. If everybody's going to see the same records right, if, if you're never going to distinguish between different people and hand, different records to different people, then no issue, but that's also something that people want.

E

So uh dns great for authenticating the content but doesn't uh deal with authorization um and we already do authorization throughout the dns publishing chain. We just do it in a variety of awful hacky ways and what I would like to see is one nice clean way that applies at every stage here, like each of those little red arrows is done, the same way not using a different hack.

E

So if we look at the beginning of the chain, the stub and caching and recursive we've got this problem of split horizon.

E

Where people in enterprise do a lot of split horizon, they depend on a lot of split horizon. Everybody gets that's ugly and not a good idea, but you know we also get that it's not going away anytime soon. uh So what do we do with people working from home? And you know kovid and zero trust, security and so forth? We need some way of supporting split horizon. That does not depend upon an ass in a seat in an office in a specific location, uh so tls client authentication solves that problem very neatly.

E

The hack that people are mostly using right now is using vpn authentication, which is built into os's, you hand, somebody a unique ipv6 address and then in the name, server in the recursive server or the caching forwarding server.

E

You give them different answers depending what ipv6 address the query is coming in from um that's it's a thing that you may already be having to do for some reason anyway.

E

But if all you want to do is give somebody a different dns answer, it's a very heavy weight mechanism for doing it requires a lot of moving parts that are sort of outside the dns. There's. Also a huge demand for closed community recursive, resolvers recursive resolvers that are not public, recursive resolvers in the sense of answering any query that comes to them from anybody on the internet, but are recursive resolvers in the sense that an enterprise would have had them internally prior to zero trust, work from home, blah blah blah.

E

So we have people who want to run a recursive resolver that has a closed user community and is not answering for anybody in the whole world. um So we need a way of authenticating a client. For that uh and again that's you know. People are trying to do vpn auth for that which is a hassle between recursive and authoritative.

E

um This again isn't probably visible to everybody, but there is a huge amount of um iplayer prioritization that happens between authoritatives and recursives. So if you're operating large authoritative, you have a list of the ip addresses of all of the major recursive name servers all of their upstream transit interfaces and you try and keep that list up to date and when a ddos comes in those are the ip addresses that get the answers. First, uh that is an immense headache.

E

um You know: we've got google quad, 9, cisco and uh cloudflare at this point, and you know they've each got anywhere between 30 and say 500 ip addresses in v4 and another 30 to 500, ipv, v6 addresses and anytime they're. Changing.

E

We either have to sort of deduce that by where queries are coming from, and you know, patterns and so forth, which is a mess or we have to communicate it, and that's really just not anything. We want to be having to communicate as a recursive operator.

E

I don't want to be having to tell every major authoritative operator what every ip address I'm using for transit is and as an authoritative operator, I don't want to be having to track all the ip addresses of all the recursive operators.

E

If I could specify a recursive operator by domain name and see a client cert match that domain name and know that everything was good. That would be much much cleaner.

E

Then we've got the authoritative anycast to the hidden primary to the dnsx signer. That section is all handled with xfr and tcig and so forth that all works, but tcig is shared secret. So it's super clunky and the net effect of this is that people wind up reusing, dcig, keys across multiple sessions, multiple partners, um you know, organization to organization. They may have a unique key, but then they've got a whole bunch of servers on each side and they're reusing they're, having t-sig keys floating around in configuration documents in documentation in email in chat.

E

You know it. It is a a vulnerability again.

E

Tls solves this problem and then lastly, the the thing I mentioned up front uh zone data is typically authored on a machine and by parties who are not capable of doing dns. For the vast majority of zone data that winds up signed. The person who authored the zone data is not the one who's applying the zone, signing keys to it and getting the zone data safely into the dns signer.

E

The person who operates the dns-expiner may be perfectly capable of securing everything downstream from that, but the upstream side. You know it's one of those situations that we hope. Nobody looks very closely because garbage in garbage out so having something that worked by default. That gave transport layer security between the authorship of the unsigned data and the signer would make.

E

You know, give me one fewer reason to chew my fingernails. So um that's it for me. um I think we need to be able to authenticate both parties of any dns transaction wherever it is in that chain. I think tls bidirectional auth is the only reasonable way of doing that. I think dane. Tlsa records are sort of the the reasonable way of getting tls keys distributed at scale, but you know your mileage may vary and I don't really care how other people do it.

E

I just need you know the jane tlsa stuff to be supported in clients. um That's basically it! I just think we need one solution here, not a whole bunch. So that's it for me.

B

All right, thank you for that bill. um As a reminder, you know not. Everybody has to agree that all of these use cases are for them, but we're just trying to find some of where different people will apply this resulting technology. um Dkg. Do you have a clarifying question? We're not going to do much discussion or bashing about things nope? Okay, uh victor. You have a clarifying question.

F

uh Clarifying uh one of the things people didn't mention is using dainty lsa to authenticate ongoing maintenance of dainty, let's say or decide, may have missed it. If you didn't say it uh so I'd like to see that uh discover discussed, because if we're actually going to rely on it, we also need to be able to keep it working.

B

B

We're there and then.

G

B

B

It is, it is possible that uh uh dkg.

H

I just wanted to ask victor to say a little bit more about what he means by maintenance. I didn't understand his question, so I'm asking for clarification on the clarification.

F

Okay, uh what I mean by that is that some people are in the habit of uh uh publishing, dainty lsa records and then not doing a good job of keeping them correct as they roll with ease in part for lack of sensible mechanisms to make changes to the dns in part. Other kinds of planning things that I may be able to help them with software. For but I'd like to see name servers provide a dane-based mechanism to keep dan records updated, not just initially published.

B

Okay uh dkj: do you have more? Is that an old hand.

H

Yeah no, this is this. Is me back again um thanks victor. I understand that now I do have a clarifying question about the use cases here. um The use cases that were presented, I think, are well motivated. I see the need for something that solves those problems, but I am not entirely convinced that client authentication is the thing that's needed to solve those problems, so so.

B

H

B

Right that that not all of these cases, you know you may want to solve something differently, but this is where people might want to deploy it. This we're not actually arguing uh that that this is where we are targeting, but it's at least a use case to consider when we're developing the protocol right so.

H

We're not actually typically.

B

Because it's very good, we.

H

Typically, do it the other way around right where we say: okay, what's the problem that we're trying to solve, and then what are the possible protocols that we could use to solve it? And, let's figure out, um you know what what those protocols are as someone who's seriously concerned about the tying dns queries to individual identities.

H

I would, if we're going to be talking about how to solve some of these problems. I mean I I think. Maybe this is a I'm, I'm more comfortable with the recursive resolver to authoritative, uh authentication side of things here, um but the the client um like, if we're trying to solve the problem of how do we work with a closed community resolver that has special rules.

H

uh I would much prefer to see a working group like this think about non-client authentication mechanisms that would solve that problem. So, if we're talking about that is the use case, I think that it opens the door to a lot more work.

B

So that makes sense right. This is not the use case, or it's not even a guaranteed use case. This is trying to get models around when we're talking about the architecture document and framework that uh that somebody has the opportunity when they start talking about it later that we've, you know, seen a presentation on what they're thinking ahead of it. You are right absolutely that uh that we are not going to take this on as the use case.

B

It is more as we start working on the the solution framework um is is: is this the one that we want to consider in the future so um bill? Do you have an answer and then we are going to go on just to get agenda on time.

E

Yeah I mean on that specific thing: um blind inserts and role authentication doesn't have to be individual authentication tied to a you know: identity on a passport.

B

Okay, thank you, um ash. You have next up and uh on device to cloud and the eps case are sort of both yours.

B

I do. I will say that I think the eps case we agreed would be out of scope for the initial work, but it's still our initial architecture should enable that to happen at some point right. Yes, yeah.

I

And so a lot of the stuff that I'm going to be uh some of the stuff I'm going to present as context, but it's definitely you know how. I would like to note that some of this stuff is outside the scope of the charter.

I

um Let me get the presenter view going.

I

All right so, first we're going to start with uh device to cloud right.

I

So the device to cloud use case is particular to iot, but it's very close to a lot of other sort of patterns you see even with workstation access to cloud applications.

I

So, let's, let's jump in um this, is going to be brief and it's not going to go um extremely deep into the the protocol. But I do want to talk about um two different approaches we might consider for anti-abuse, uh and so this is some stuff that kind of came up. I was doing some uh playing around with some how this might be implemented and um and at least should be recorded, and we should uh contextualize the way that we build the final standards with uh with this stuff in mind.

I

So the problems that we'd like to solve um you know in dealing with client uh passion.

B

It's not yet being fully shared. Oh.

B

I

B

Did you click, ok and select the screen.

I

I know what I did wrong: I'm sorry, okay,.

I

Okay, there we go all right, so um https device to cloud use case. There are a variety of protocols that you can use for device to cloud. Sometimes that's mqtt, sometimes that's https, but I'm covering specifically https for this.

I

um We'll talk about some of the challenges with getting client authentication to work for https and tls at scale for a great number of devices and uh we'll discuss sort of two sort of ten thousand foot view two different approaches that we might consider for anti-abuse purposes for the protocol, and then we can have a brief q. A the problems specifically that we seek to solve have to do with using um public key based identity at scale uh web applications um and especially when you start looking at cloud applications.

I

The cloud side can get decoupled very easily because of orchestration tools. Make that easier to do so. You'll have a you know. Your tls termination might be happening on the front of the application in a dedicated load, balancer and then you'll have web applications behind that um you'll manage client configuration. You know, roles and and um and identify your association inside the application.

I

um But you know when you start it becomes very difficult to do that with uh with pki, because you may have to synchronize settings between your application and your load, balancer and, um and that can become problematic, also problems that um you know that we heard earlier with. You know the problems of pki, where you can have identifiers in one pki, may also appear under another pki, and so naming collisions impersonation happening. That.

D

I

And also when you start looking at smaller organizations that maybe can't um good identity strategies like using pki-based identities are not as approachable because of the infrastructure cost and having to um to operate your own ca traditionally or you know, and everything that comes along with that.

I

So what we'd like to do is we like to make pki based identity more accessible? We think that dane can do that and we go into more detail in the architecture document with how that works. You know having identity suppliers.

I

But the problems particular to um doing this with https.

I

When, if you have a bunch of devices, you know consumed by an organization and they all need to onboard to a cloud application, oftentimes you'll see an api to api integration, and this is you know, between something: that's acting as a certification authority and a cloud platform and they're either moving the trust anchors over or you may just do a bulk move of you know: device public keys or certificates and using dns just to discover entity certificates by name is a lot.

I

I think a lot cleaner way to do things, but when you get into the implementation, um you know the way that we've discussed this so far is in having the um during the tls handshake, actually doing the uh the dns lookup and doing the dane comparison.

I

However, a challenge that comes with that is that you really need to have an allow list. If you don't have an allow list, then anyone presenting a client certificate and supporting the dane client id protocol could possibly trigger a dns lookup against maybe a maliciously configured resolver that doesn't respond very quickly.

I

This is sort of a play on the slow loris attack and it presents an interesting engineering challenge in the implementation. So this is something that's worth considering um you know. Do we do this part inside the tls handshake, or is there a different way that we can do this?

I

You know that might make anti-abuse efforts a little easier to to manage, and so we may consider a tls, cooperative client authentication protocol where you have the tls terminating load.

I

Balancer will authenticate a certificate and in the http headers, or rather in the uh something like post data, you might have the dane id indicated, and so once that certificate's authenticated- and you know that the possessor of the private key is on the other end of that connection, the certificate gets passed through to the web application, as well as the dane id, and so the web application can then look at the id and make sure that the uh the identifier is actually a valid client for the application before going to do the dns lookup, and so you know in this case you wouldn't fail.

I

The um you wouldn't have the tls connection fail. It would be something signaled by an http error code, um but this might add this might make for an easier implementation.

I

You know within some cloud applications anyway.

D

These are just.

I

Some thoughts that come out of doing some test implementations and you know for uh by way of illustration. This is what that might look like. uh You have a uh the device uh abc.device.example on the left has a certificate presented in dane or using a tlsa record in dns, as it attempts to authenticate to the load.

I

Balancer load balancer is configured to authenticate any certificate to make sure that the private key is is held by the client, and then it passes that through to the application behind it, the uh the application behind it then make sure that the um the client name that's coming through in the post. Data is actually on the list of allowed clients, and then it checks that against dns and then it can allow it into the application, and so this makes it comparing this to a situation where one might have to to.

I

You know if, if the tls handshake is held up to do a dns query and the client is able to sort of game that process to have a bunch of tls handshakes open at the same time, that might be a dos opportunity. So, there's probably a really good way to solve this in the tls handshake. You know with managing timeouts or making sure that there's an allowed clients list.

I

You know, but this is anyway. This just shows maybe two different approaches we might consider for uh for mitigating abuse. On the on the application side.

I

And we can go to q.

B

A uh ben clarifying questions.

D

uh So, are you okay? I will phrase this as a clarifying question. uh Are you assuming that the client does not ship a a complete, dane search chain or a signature.

I

Chain, um the expectation is that the client will present a certificate, um and so are we are we talking about the sort of the tls native method or the uh the http method.

D

So I I'm neither um I am I. I am uh attempting to to argue to you that that the right answer here is for us to say that the the client needs to ship a complete signature chain to the dns route.

D

So that the server has no work to do, and they I so I agree that these are real problems. I just think we should completely prevent them.

B

D

Think that's a great idea.

B

um Are you suggesting ben that that you actually send the dns keys and the signatures all the way up to the root, so that there's no dns queries that need to be made.

D

Exactly the the server should should not have to perform any network operations or rely on any caching uh in order to validate the client identity.

D

I like it that sort of unwinds the whole problem.

B

There was sort of that discussed it in tls at one point um all right. Victor.

F

I uh agree in part with ben, but I wonder whether that should be an optional feature. If some server wants to ensure freshness of the data, the client may be shipping slightly stale information right subject to rrsig and all that, so it's a it should be possible to do that. We may need tls extensions to negotiate which of those scenarios happens.

B

Engineer that at the moment, because the reason I'm doing clarified questions is that we can get to all of these when we get to the architecture, discussion.

J

uh Yeah, so I think that's an option we've discussed in the past. We haven't written it down anywhere, but the possibility is. We have a mechanism that can kind of do that right. The tls chain extension, which victor is very familiar with too uh only then we would have to kind of configure it to go the other way from the client to the server rather than the server to the client, which is how it was originally envisioned to work. But I think that's that's a possibility that could be implemented as part of the dance floor.

J

If there was interest.

B

Okay, thanks so ash we can go on to the eep case.

B

I

Let me get this going.

B

Been asked to use the uh the pdf sharing version of uh in meat echo because it takes less bandwidth, but we'll work on that in a bit. Okay,.

B

I

B

I

So the the tls use case is a network access use case and this this could work for wireless or wired access for devices um and so similar flow to the last one, um except a little bit less into the uh into the protocol. We'll talk about some of the challenges with uh client, identity and um and then we'll look at how dane maps to the uh to the use case.

I

um The challenges with epls supplement, authentication and supplicant is: um is the tls client in the eep authentication process. So your epls authentication process.

I

um It is prohibitively expensive for small organizations to adopt this authentication mechanism, and that comes with the expense of operating a pki or certification authority, um and so the it's also limiting when you implement a pki, because you create your own namespace that is local to the organization or to the application and- um and you know, there's a there's a time factor in that as well- and this is you know very often, you see this in use in enterprises, but small businesses and smaller organizations.

I

It's uh it's more difficult to adopt um and then that identity, if you have an identity issued by your home organization and say you're a contractor and going to do work for someone else. You can't use your your home organization, identity at a client site to access.

I

You know: guest guest wireless for instance, and so, if you think about you, know the the hoops, then we oftentimes see organizations jumping through to implement something that you know that isn't too complicated for guest wireless access having time down tokens and everything like that for accessing a very specific network. It's a lot of hoops and a lot of automation that kind of comes into play, and I think that uh using dane for client identity can cut through a lot of that unnecessary complexity.

I

So using using dane for the supplicant identity gives us one device identity and because it's represented in dns, you can use it.

I

You know potentially across different networks, different providers and you can then it becomes pretty easy to configure an access list even across organizations because you're just working with dns names, you get revocation at the speed of ttl, so you pull the record from dns and it can't be authenticated.

I

And so that's a really good way of you know disowning a device that might be compromised and and then you also get the benefit you know of having a third party. You know poor manufacturer, providing an identity that can then be consumed by an organization and and used without them having to operate their own pki. And so that's how you kind of get to a um you know.

I

A very low friction, uh pki onboarding process for the network, um and then you have the uk use case for uh even leased devices, and so, if you have one organization that provides devices and uh to another organization, uh onboarding those to the network becomes very easy. You can say: well, I allow you know uh you could even do a wild card match. You know to say: well I allow any camera coming from this vendor to uh access this portion of my network and things like that.

I

So um it gives a lot of flexibility and you can be very you know you can use wild cards. You can be very specific, but it seems to be a really good way and I keep coming back. I guess in my mind to the analogy of using network access lists and how that you know makes sense.

I

You know for network flows higher up in the stack using dane identities, to describe interactions between clients and servers seems like a uh a much easier way to do things, and so you know the way that you might the specific on-boarding process for an implementer is, they might, you know, have the get the device in hand you know and add that dns name to the network access list configure the device with the wi-fi ssid that it needs to attach to and for traditional ca based authentication.

I

Then you would install the ca certificate for maybe the radius server. That's that's performing the uh the other server side of the tls connection um we have discussed, you know uh passing uh you know like passing the dns chain in the tls handshake. That might be a way around uh having to install a ca certificate.

I

But that's that's something. We've discussed it's outside the scope of the charter, but I think it's definitely worth consideration, because that would act that would make it dane end to end both ways.

I

And then your network bootstrapping is complete, and this is without having to uh you know to deal with the process of you know, signing a certificate or issuing you know a device identity. It arrives with a usable identity and getting it onto the network is just a matter of a couple of configuration items.

I

The way that this might look is a vendor supplies, the implementer with devices and the vendor places those device, certificates or public keys and dns um the implementer configures network access. It just adds the um the names of the devices into you know the radio servers access list, for instance, and then after configuring, the devices to point to that um access point or whatever. Then those devices are able to authenticate and be authenticated by um by the radius server just using the uh the dns name to do the certificate comparison using dane.

I

Thoughts clarifying questions.

B

H

Hi, this is daniel again um thanks for presenting this. How are you imagining a client selecting which identity they want to present? In this eaton case,.

I

um The client deciding on which identity to present to the network.

I

And could I get you to restate your question.

H

Yeah, um so I'm trying to understand how a client would be expected to choose an identity when, when uh doing when, when doing eep right, uh I think the the use case you described is sort of a distributed, one where the client is using the same identity to multiple providers, and I'm I'm just wondering if you have any thoughts about how a client might like. Is this going to encourage people to always, you know, publish their citizen id as they make a connection, or do we think that people are going to be able to like?

H

Do you see this as something that would be relatively easy for a client to select which identity they use um for any given network like what? What are the sorts of uh ui affordances, that you would that you would need to avoid one person having to present the same identity everywhere.

I

That's a really good question, and so I think that protecting privacy is super important.

I

This might be a case where you have multiple identities, having uh identities issued in this way in a way that doesn't require the implementer to to operate the pki, you could purchase a number of identities from a from an identity vendor like this. uh So if I go to you know identity.example and I purchase you know a number of pki identities to install into my device. Then I might be able to select one and, depending on the network, I'm accessing um you know if it's a public public, wi-fi network.

I

Maybe I just randomly pick from whichever one that I want the original driving use case for this has a lot to do with iot and in the iot use case, where you have and I'll use a specific example. The uh esp32.

I

System on the chip has like four, I think, four megs of uh flash storage and so you're not going to squeeze a whole bunch of certificates onto that.

I

You know: certificates and private keys onto that device, because it's really the storage is really constrained, and so I think, with a lot of iot use cases, especially when you start getting into that that borderline close to the low power stuff um it'll just have one identity that it'll use for a um you know for a variety of networks and with you know, when you consider you know, if someone leases a bunch of device, uh you know smart light bulbs and they want to use etls for them.

I

um Then the idea is that you would, you know onboard these devices, but they would use the manufacturer issue certificate to access an enterprise network. It definitely bears some consideration: uh privacy, wise for users and that's.

I

We should make a note of that and make sure that if we start prescribing this for user access, then we have some privacy protection in place.

B

Okay, thank you, um let's go on to victor and then we really need to get moving we're a little bit behind, but we do have a buffer today. So victor uh yeah.

F

I'm just concerned as always about this long-term stability of uh vendor credentials, right vendors, also light bulb, and tomorrow they're gone. So I'm skeptical about this use case. Sorry, where is not a clarifying question, but I think it's an important consideration to cover.

B

Right, so we will we will. We will talk about that when we get to actually solving that problem, but fair point right, all right, uh so ash, let's go on to your actually also for the architecture presentation right um so, instead of if you could unscreen share and then use the second button from the left of which is in between the screen, share and the hand icon to share using that slide deck instead, assuming your slide deck is up to that should save bandwidth for some of our downstream users. Thank you very much perfect.

I

Dance dance architecture.

I

All right and so um sort of diving into the uh to the architecture documents uh which was a part of the original scope of the working group, is to produce this architecture document, together with guidance for implementing uh dane plant identity in the tls handshake.

B

uh You're very happy for me: uh could somebody else enjoy say whether whether it's just me or not,.

B

Keep doing ash and then we'll um okay!

B

Oh it's just me, never mind. Go ahead.

I

So um similar float to the other presentations, we'll start with the problems, we'll look at how dane maps to the problem space and then we'll go through some of the some of the use cases where we think it might fit and before we get uh too far into this disclaimer this does um you know in the interest of painting a larger picture.

I

This does include some non-chartered items, so we talk you know later on about what, if object, security were part of this? This isn't intended. You know to require the working group to go in that direction. This is to say in the fullness of time, and if there were interest, you know beyond a rechartering.

I

This is what a more complete ecosystem might look like. So I wanted to preface this presentation with that.

I

um Again, the problems with pki based identities: it's too expensive, smaller organizations can't adopt it easily and, um and it doesn't really work very well across organizational boundaries. um It's operationally burdensome that comes along with the expense you have to have people to. If you're doing it right, then it's not cheap. You have to have people maintaining it and protecting it and resource constrained organizations are left vulnerable because it's hard for them to adopt.

I

And then the restrictive- you know I've already kind of spoken to this uh before, but you know getting trust to work across organizational boundaries and using policies within the you know. uh Within the context of peak, kicks is sort of a challenge, and then you still one pki does not have a way of preventing other pki from signing identities with the same identifier and so the challenges that come along with that.

I

It's it's really complicated. It's unnecessarily complicated and I think we can solve this with dane.

I

I've already talked about that, so, let's talk about best practices for a second. um The cloud security alliance recommends that, in their summary guidance document for identity and access management for the internet of things, they say that step one, a you should define a common name space for your iot devices, and that makes a lot of sense. I think most people would pretty much agree with that, um and so from this decision point um a lot of architects will say all right.

I

Well, I want to use you know this strategy or that strategy I want to. You know, indicate the taxonomy of my device it's from this vendor it does this thing this is a serial number or maybe it's just using the hash of the public key as the identifier, but then you end up when you're trying to troubleshoot an audit. You then, are describing trust.

I

You know trust relationships between entities represented by two different namespaces, and you know what, if, instead of creating a new namespace for clients, we just use the one that we use for server identity and that's dns.

I

And so using dain for client identity, pki namespace being bound to dns. You know it's recognized wherever dns is used. We all agree on the dns and it's not like you know.

I

If you stick something in blockchain, then the next question is well, which blockchain is it in and what does the api look like and it gets sort of complicated um you know using the dns namespace, it's everywhere you get the ability to look up public keys by name and a lot of the uh the challenges you know with using traditional pki dealing with restful apis on cas just goes away.

I

Organizations are then able to purchase devices or lease devices with identities that are immediately useful, um and so that takes the burden off of the implementer. You know or the consumer, for you know provisioning that pki identity and the network onboarding process becomes a lot easier.

I

You know uh adding adding a device to a network uh means adding the dns name of the device to the access list, uh allowing application access means that you add the client's dns name to you, know a an access list or a role inside an application and for the object security use case um using dns for public key lookup um for signature, verification or um object encryption.

I

It's uh it flows really well works across organizations um and the complexity. You know that you have of you know integrating different apis just goes away. If dns is the api, then the sdk's already built into the operating system.

I

um The example that I'll walk through is one of uh let's say an autonomous car use case, and the uh cars.example organization um has autonomous cars that they allow to drive around a uh you know. A city and the city is uh falls within the jurisdiction of gov.example gov.example, says you're only able to drive that on certain roads that we say are okay and you have to report where your cars are driving um regularly, and so these autonomous cars also generate a lot of data while they're driving.

I

You know the sensor readings things like that all kinds of telemetry pictures, um and so they frequently need to upload this stuff to a uh you know, to a cloud storage platform for parsing and for training, machine learning models. Things like that, um and so the uh cars.example organization has a relationship with isp.example.

I

Isp.Example runs a bunch of consumer premise, equipment all over the uh the jurisdiction and so they're able to stand up a you know, a wi-fi ssid, that's more or less pervasive everywhere these cars are going to drive, and so this allows the car to or any car in the fleet to access these networks for periodically uploading. You know these massive amounts of telemetry.

I

um And so looking at that universal client credential, let's just say that you use um use the same credential for network access as well as everything else.

I

In some cases, that's not ideal, but for the purpose of simplicity, that's how I'm going to describe this use case uh so car's driving down the road and it has the cars configuration says that it knows that it can authenticate to public.isp.example. Ssid is named public.isp.example and and so as it's driving along. It detects that ssid. If it needs to upload information, then it's able to do eat.

I

Tls client authentication to any of those access points as it's driving around the city, and it can use that to upload information to the storage platform you know or for internet access, updating maps or machine learning models, whatever general network access um and so that same identity works when it pulls into the parking lot at the home office, and so it can use the same credential to access wireless.car.example and um the you know uploading telemetry to api.cars.example.

I

Might uh you know it can use that same client certificate for mutual tls authentication with that restful api, and then it can use that to upload uh whatever information that it has um and for compliance purposes.

I

um Yes, it submits a a jws of um of different points of uh you know in space and time where that car was so that the government entity can can confirm that it didn't go outside of its um of its allowed geofence, and so the way that that interaction happens is the car uses the um its certificate as a client certificate to perform mutual tls authentication with um mqt mqtt server, and it put it places that signed jws document onto the message broker, and so you know the uh the document can then be saved and it can be verified later on when it's parsed and compared against its allowed geofence, because the uh the jws document contains you know in addition to the payload.

I

It also contains the dns name where that public key can be retrieved for authenticating the object.

I

And so what we have here is we have a card that uses a single identity represented in dns car54.underscoredevice.cors.example.

I

And it uses that identity to perform uh eptls client authentication uh with uh multiple wireless networks. um Also sorry, tls, client authentication with multiple wireless networks, uh tls client authentication with uh with its home organizations api server, as well as the report.gov that example mqtt server for delivering that uh sort of the geolocations and times.

I

And then the um gov.example can then reach out through dns to do a public key lookup to verify the messages that are placed in queue by the um by the device or by the car.

I

Now, what we see is as possible protocol use cases, and these are listed in the in the architecture. Document start tls for um for the email ecosystem, uh eat, tls for network access, https uh and mqtts, which are particularly useful for iot, sip and webrtc, as well as some some use cases for lorawan object security.

I

Should we decide to go that direction after a recharter, jose and cozy um make a lot of sense? There are some metadata fields already defined where this fits really well and xmpp. End-To-End encryption seems like it also might be a really good fit and client public key discovery for ssh is something that might be worth considering later on, as well.

I

And there's a we should also bear in mind as we do this, even though this is not going to be defined. You know necessarily in our uh you know, within the scope of our charter. We should also keep in mind that anti-abuse efforts can really be aided by having a good, solid identity, um especially where the identifier indicates the owning organization, and so um you know being able to report misbehaving devices using a dns names using a dns name.

I

You know sort of takes out the um you know, so some of the what might be subjectivity and processing a uh you know a distinguished name from a certificate or um you know, client common name. So these are things that we should keep in mind uh for security's sake. I think it's important to recommend dns over tls for integrity's sake. The stub resolver should be doing dns validation and availability wise.

I

You know we talked about mitigating this with using the uh tls chain or the um dns chain in the tls handshake, but only performing a dns lookup for allowed client names is a pretty good way to you know kind of close the gap that could be exploited and a few links to the the working group, the architecture document in data tracker, as well as github, and now we can jump into q a.

B

So I accidentally killed your video ash if you want to bring it back. Sorry about that.

B

uh Anyway, so uh q a so um anybody have questions about ash's presentation, I will say some of those items you know were out of scope again the year for for the working group. At this point, the goal is to create an architecture that may be usable, for you know, lots of cases um uh you know like epls, for example, is even I think, declared out of scope initially and things like that, but enabling it if we want to if the itf wants to take on that work in the future is important.

B

Anybody have questions or comments. uh This is a time to talk about the architecture regardless of this. This is not just clarifying questions at this point. We do have time for discussion. um I think one of the outstanding questions, in my mind, is in the architecture document where you know.

B

I believe that we need to talk about naming of entities and and make sure that that architecture framework you know marries with the rest of the ietf terminology as well as pick uh the best example, you know use case that we can state what it's going to look like architecture, wise and explain it so schumann,.

J

So um this, since the architecture presentation that ash did talked about some for future, looking use cases too, I just wanted to go back to the suite of use cases that we uh did discuss prior to that and the one that I know. I mentioned this on the chat to the one that I noticed that was conspicuously absent was the smtp transport security use case, and I was wondering if I could, if we could volunteer victor to say just a few words about that. Just to you know, make sure.

B

It's on people's mind. Well, victor does happen to be in the queue so.

D

B

Didn't have that in a slide deck, but, but probably I should have probably poked victor to make him present slides uh victor. Do you want to talk about the smtp client use case of this at all.

F

uh Sure I can briefly describe the uh the issue, so the smgp client that I was interested in way back when schwein draft is, is an mta, not an end user, with a with a male client and in the mta to mta use case, the clients aren't trying to hide their identity.

F

In fact, they're trying their hardest to, in most cases, to convince the server that they're legitimate and should not be spam filtered, uh and it would sure be nice to be able to uh not only uh have uh audit trails in smtp received headers that uh show you that a message came from. You know a source that you can trust, but also to be able to apply a reputation uh to uh instead of ip addresses to uh pre-trusted domains.

F

We do some of that these days uh with uh you know, uh dkim and dmarc, and the like. Those are end-to-end signals that tell you who wrote the message, but it's also useful to have transport security indication in this case mta to mta, and with dane, we could onboard that incrementally negotiate its use.

F

uh So the goal is to be able to know who's talking to you as an mta, smtp client.

F

Now uh so that's all I wanted to say about it. Unless people want me to say more, I don't know what else there is that people want.

B

That's probably good most people have questions, but you also stood up to get a question probably too right.

F

Yes, which I will try and still uh remember uh in this case, all right. uh It's a question and sort of a comment. One of the things we're not talking about in this charter is any kind of exchange of credentials.

F

You might start with dns to you know, authenticate yourself to some point in the network, but having achieved that, having authenticated to some sort of authentication provider, uh we then I need to think about whether that's the whole story or whether we you know federate, you know, sort of in in some way uh trust brokers of various sorts. That can then authenticate you to other networks uh by other means than than this mechanism you know is: is there a more complete architecture here?

F

One of the things that I had been looking at but never had cycles to do was in fact bootstrapping cross-realm kerberos, with dane, which would allow kdc's to authenticate each other and then make it possible to have a kerberos mesh, that's kind of internet scale by using dane between the kdc's, but then user authenticates to local kdc, not to some remote entity and kdc's have wonderful things in terms of you know. Probably dan gilmore will be happy to hear. Kdc's can support anonymous credentials.

F

uh Kdc's can do all kinds of renaming and masking and so on, having authenticated the user, they might then present them with a credential that authenticates only the organization and masks the user identity um things that can't easily be done.

F

uh If the architecture is, you know, single party all the way to the end, and this is a much bigger problem of course, but I think it's, the more ambitious architecture has some merit. We ought to think about what is the full life cycle? Is there a federation story here, in addition to dns being federated in terms of trust and so on, being federated as well?

F

And, of course, I don't think people have appetite for these larger architectural questions, but they they come up.

B

Victor um paul.

G

Thank you. So um this is uh related to the architecture. Draft. There's a question about scalability. You mentioned that a client identity zone is essential for actually authenticating, but in the event let's say the client identity zone goes offline or it's unavailable and you're not able to authenticate.

G

I do you look at the possibility of a fallback solution, uh the intent to actually discuss, maybe a fallback solution in case such events occur.

I

uh I that's that is certainly worthy of discussion. uh We didn't put that in the architecture document for fear that it would. um That could be a whole other sort of area of uh of study that could be addressed, maybe by a caching strategy on the server side of the tls connection, whatever application that happens to be, um but it's um you know is, if that's worth pulling in the architecture document, I'm happy to and getting some discussion around it because having having a good fallback mode uh could be useful.

B

uh It's definitely an interesting use case, the um uh or not use case uh side effect and actually putting records into the tls client certificate. Actually that was discussed earlier. You know potentially one way around that right if the dns key verification all the way to the top, for example, victor.

F

In terms of scalability and fall back, it sounds a bit like using dane not for every ongoing authentication, but for enrollment.

F

So you present your gain credentials initially, when you first interact with some party and then in many cases you might obtain a bilateral credential and future interactions don't require good.

B

Point all right: well, I see the queue is empty and that's probably good because we're right on time to switch to schumann and the two existing solution documents.

B

So, whenever you're ready to present your slides, ideally using the file sharing mechanism over the screen sharing mechanism, that would be good.

J

Okay, so how how do I do that? I don't think I've.

B

It's the one to load.

J

Slides is it that one.

B

It's the pre share, loaded, slides. It looks like a file icon with a slash through a file icon. Oh there's a hand like on which you know as yeah.

B

And forgive me I'm trying to find it. uh I can share it if you'd rather.

J

uh Yeah, actually, if you don't mind, could you do it.

B

um The name of your use case so, let's see chair.

B

Client authentication is that it.

J

Tls client authentication, yeah.

B

J

uh All right, okay, so uh I'm going to do a quick overview of uh what we think are some of the initial uh protocol building blocks for implementing the dance architecture and the various use cases uh that have been discussed. Now.

J

We've gone through a little bit of this already during the boss sessions leading up to this point, so some of you may have seen bits and pieces of this already, but now that we finally have a working group, I think it's useful to kind of rehash and refresh everyone just to make sure we all have a common understanding. So we have two drafts listed.

J

The first is about dane client authentication, and the second is about a tls extension to convey a client's intent to be authenticated by dane and optionally to actually convey the full client identity as well. So next slide, please, yes,.

J

The goal is to be able to authenticate the client side of a tls connection, with dane today, as many uh of you may know, dane is used primarily to authenticate tls servers, so this mechanism is about extending it to do client authentication too a little bit about the history. These drafts were originally written, um quite a while back.

J

In fact, we presented this work uh back in ietf 93, that was the summer of 2015, believe it or not, and the dane working group which existed at that time- and there was quite a bit of discussion and interest at the time.

J

But then the dane working group shut down because it had finished its original charter of work, and this item wasn't on that charter and kind of the authors- didn't really have the time or energy to continue pursuing it, but the original target use cases at that time were uh iot device, authentication and uh and also authenticating clients in smtp transport security. I think those use cases are still valid as you've heard today and it looks like there are several more application areas that may benefit from these protocols to the next slide.

J

A quick protocol sketch, basically the tls client, is expected to have an identity in the form of a dns domain, name, a public and private key pair and a certificate binding. The public key to the domain name, and there is a corresponding dame tlsa record, signed and published in the dns.

J

The tls server sends a certificate request message in the handshake and the client in its certificate message uh includes a dane client id extension I'll describe that extension in the next slide. The tls server then extracts the client's identity from the presented certificate and then obtains the dns tlsa record authenticates its signature and validates uh its sort of record data against the certificate or.

D

J

Key in the certificate uh next slide, please.

J

Okay, so there is also a proposed new tls extension for conveying a client stain identity. So, generally speaking, the tls server can find the client name in the client certificate itself. So why would we need this? Well, it has a couple of purposes first, to signal support for this protocol, which can be done by uh the client just sending an empty extension.

J

So technically, both the server and client could signal this capability advertisement. It's particularly useful, though, for the client to do this, because then it can communicate to the server that it has a date record that it wishes to be authenticated with and in environments that may support a mixture of clients.

J

We can ensure that the tls server attempts to do data authentication only for the clients that are suitably configured to make that possible right, and secondly, this extension can be used to convey the actual client's, dns identity and maybe their domain name in cases where it may be required. So there's two cases where it's probably required. The first is if clients are using raw public key authentication, that's rfc 7250.

J

I think uh I don't know of anyone that has actually implemented that in the field today, but it's certainly a possibility that can be uh supported by the dance architecture. So in that case there is no certificate at all from which the client's identity can be extracted.

J

So the client has to communicate that in some manner and this extension can be used to do that. Another case is if the client certificate has multiple identities in it, and we want to be able to kind of surgically tell the server which specific identity has a dane tlsa record associated with it to kind of minimize the amount of unnecessary work the server might otherwise have to do to hunt down which of those identities has a date record.

J

So I also want to make a note about the privacy implications of this, this extension, which was kind of brought up when we originally talked about this drafts, because we are potentially sending the client identity in the extension. So when we first started this work in 2015, we didn't really have a good solution to privacy protection at the time. But now we have tls 1.3, which does address this so in tier in the tls 1.3 version of this protocol.

J

The extension is intended to be carried in the certificate request and the certificate messages which are both encrypted, so there's no privacy leakage in tls 1.2.

J

The client has to send this extension in the first flight client, hello extension, so this can't be protected today without further enhancements to that version of the protocol, which seems kind of unlikely at this point so, depending on the application, this privacy leakage may or may not matter to you, but we advise using tls 1.3 if, if possible,.

J

Next slide, please.

J

uh The tls say record format for uh client, uh client authentication.

J

Sort of the record data format is exactly the same as defined in rfc 6698, detain, spec. What's different is the record owner name format, which has to be adapted to something more suitable for client names, so the spec currently proposes two formats that we think have wide applicability, but I think we recognize that applications could choose something else uh if they needed to, and the draft is trying not to be prescriptive on this point.

J

So the first format is what we're calling service specific client identity and it allows for the same client to have different credentials for different services by encoding the service name into the first label of the domain name, and it also accommodates wildcards if the client uses a common credential across many applications.

J

So in the original version of the spec in uh going back to 2015, we, we had actually proposed the use of different subject: alternative name types, so there's something called srv name, which is described in 49.95, which supports kind of like a more flexible way to encode application, specific identifiers. But in the end, we, you know kind of assess that nobody really uses that in the ecosystem at all and we kind of took it out and instead now we have this format uh next slide. Please.

J

The second format is what we're calling iot device identity and proposes organizing iod device names under a common suffix, using what we call a an identity grouping label.

J

So that's underscore device that you can see in the second label in this example, and this scheme permits an organization if they wanted to to delegate the management of the client device stream to a third party that could offer you know, dns signing services and maintenance if they wanted to so to the left of the underscore device label, uh is the device name which could be composed of a number of labels and to the right is the organizational name which may include other labels within the organization, not just the uh kind of top-level zone of the organization and uh next slide.

J

J

And here's a kind of just a made up example of what what an iot client date record might look like, and this is straight from the draft and let's just move on to the next slide.

J

And here's a general diagram of the protocol protocol flow, it's just some minor enhancements to the typical tls client certificate authentication flow. So I've just pointed out the main deltas in red here, namely that the uh dane client id extension is sent along with the client certificate from the client to the server and that the tls server needs to perform a lookup of the client state and tlsa record and validate the client's certificate of public key against the contents of that authenticated record and next slide.

J

uh I've also tried to annotate the tls 1.3 handshake message flow with the new protocol elements. uh This should be fairly self-explanatory to folks familiar with the tls protocol, but uh so this is this slide. Is the vanilla tls 1.3 handshake? So let's move on to the next slide and uh in red, so this part is optional. So originally this wasn't in the spec.

J

We only had it was kind of a one-way extension from the client, but some people argued to me that it may be useful for the tls server to advertise that they support this capability, so that can be done by optionally, sending the client an empty client id extension in the certificate request message from the server uh next slide, and then the client in its certificate message includes the dane client id extension, so that can be an empty extension to convey the client's intent to be authenticated via dane.

J

In that case, the server needs to extract the client identity from the certificate, and also it could be used to convey the client's name as well, which, as I mentioned previously, is required in certain use cases. For example, if you're using wall, public, key authentication and next slide.

J

And lastly, what the tls server then has to do is get the client's identity. Look up, the tlsa are set authenticated and match it against the client certificate of public key, so in the draft is currently written, requires the tls server to do this in band in in the tls handshake. But, as has already been mentioned today in previous conversation, that's not the only possibility.

J

We could envision the client kind of uh conveying building its full day and authentication chain and sending it along in a tls extension to the server. The reason we hadn't originally put that in the draft is we were concerned that one of the prominent use cases for this protocol was iot devices which could potentially be constrained, and that may be too high of complexity and implementation bar for them.

J

But you know since we're discussing it, we can certainly have a debate about whether or not uh that uh enhancement, uh whether it's optional or not, should go into into this protocol and uh next slide. Please uh yeah, okay, so I'll stop here for a discussion. uh One parting question before that to the chairs, and the working group generally, though, is: are these drafts suitable as protocol building blocks for dance? And if so, uh you know uh when should we?

J

You know talk about adopting.

B

uh So I'll see the the question with one question that kind of came up in the chat, which is uh that device identities are potentially privacy leaking, and should we consider doing this only for tls, 1.3 and ignoring 1.2? Do you have thoughts on that.

J

uh Yeah, so I mean I was when we were originally uh doing this work. Tls 1.3 didn't exist right, so we had to kind of support it until s 1.2 and I had to grapple with the with the uh with the privacy question uh a little bit harder. Now that we have tls 1.3, I guess it depends on uh you know the use case and what kind of uh deployed field of of client devices we're dealing with right.

J

So if it's the case that it's like green field applications where tls 1.3 is omnipresent, then yeah, I think we could easily do that, but it may not be the case in certain environments right. So I think that question I don't know the answer that question. I think you would need some uh some research to see. You know which sort of environments we're trying to apply these solutions to.

B

Okay uh dkg, I suspect, you're in line specifically because of that.

H

uh No, I actually had a question about the tls arrangement. Can you go back to the slide that have the tls diagram.

H

Yeah, um so uh I might be fuzzy it's early in the morning than the times that I'm in, um but I seem to recall that with tls, the client has to offer the extension before the server responds with it. So are we saying that the client hello would be marked with the client id the dane client id as well?

H

It's a request response arrangement and I don't see it in the first flight from the client.

J

It's not in the first flight from the client right so that wasn't the original version of the spec when tls 1.3 wasn't around so uh the.

H

J

I'm not remove the certificate.

H

I'm saying the the extension because I believe extensions are our request response. So if the client doesn't offer the client id extension, then the server can't respond with it that that is just the flag. That says I do want to do. Dane client id.

J

Yeah, I'm a little fuzzy about.

H

That I don't see why.

J

uh I'm not aware of that requirement, so maybe someone can uh can elaborate on that restriction. A little bit more yeah. So.

B

In this case I mean.

J

H

So that's just just a wrinkle, that's worth thinking about the second thing that when I'm looking at this, um it occurs to me that uh if this is being done in a situation where you basically already know your peer, then you have some out of like you have no other way to authenticate yourself. Besides this client search, you could there's no necessary reason for an extension for this at all.

H

um In fact, you've already identified that the server is who they say they are, and if you know that this client identity is visible, you can just stuff the information into the certificate um and let the server figure it out. I'm not even sure that we need a tls extension for that. If.

H

A phony x, 509 certificate.

H

uh You know with especially you know, market in some way, then you can let the server take it or not. Take it, and and that's how it is, you might not need the the tls extension at all yeah.

J

So yeah so daniel, I I agree there are so there are many situations where you may need not need this at all. So uh there are uh uh situations where you might know right if you have a like a kind of like a mixed mode uh field of uh uh tls clients, and some of them uh can do uh dane authentication some of them. Can't you want a signal from the tls client to the server that I have.

J

You know, please authenticate me be a dane. Otherwise, the situation you're going to run into the tls server may be needlessly trying to do all these dane look ups in band with the tls handshake for many clients that have no dane record and it's doing useless work right. So this is cool right.

D

J

Optimization to make sure the client is not server is not being compelled to do unnecessary work.

H

So I think you actually need the signal in the opposite scenario, in the scenario that you're describing we don't need a tls extension signal. We just need the certificate to be identifiable as a day insert versus not a danger.

J

Fair enough yeah, that's another way to do it. If, if the certificate contains some sort of attribute that uh tells the server that it's uh it has a dane record, that would be another way of doing it. So I, I think that's worthy of discussion. Yeah.

H

Yeah- and there is the opposite scenario, where you have a client that is connecting to servers and the client has multiple ways to authenticate and needs to decide which way to use. That's where you would need the tls extension so that the server can signal.

D

H

Type of identity the client should use if we're talking iot. That seems like pretty unlikely right. These devices are going to have one identity to offer correct.

J

Correct correct yeah, so I mean that so that second point is already satisfied by the server optionally providing that extension. So so maybe it should always provide that extension. If it knows it supports stain client authentication.

J

I'm hearing a little bit of an echo should I view myself or it's not going to reverb here.

K

Yeah, so we were just talking about the you know: can we go to tls 1-3 only, and your observation was well we might be able to, but we need to check the kind of the use cases and the user population of the devices that confused me a little bit, because I thought we were talking about a green field deployment.

K

So you know, regardless of whether I'm using tls1213, I'm going to have to update my stack here with this extra, dane kind of and logic, and so you know are we saying we have circumstances where we can update the code to do a slightly better or fancier tls one two processing. But there are certain clients where you know. While we can make that change, we can't make the stack upgrade to 1.3.

J

Yeah, so that I don't know you may very well be right, roman, so I was envisioning a situation where you're right stats have to be upgraded uh regardless to use this mechanism, but it may you know there may be situations I was imagining. I could be wrong where it's easier to just enhance the tls 1.2 stacks to do this rather than upgrading whole hog, everyone to tls 1.3. First, I could be wrong about that. Maybe maybe that's not a concern and we're looking more at greenfield tls 1.3 deployments.

B

B

D

I I I'm getting echo too um so you mentioned the question of whether sending an entire chain would be a significant burden on iot devices. I want to argue that it's not a significant burden that, from the perspective of an iot device it the entire chain, is a static block of opaque data.

D

It doesn't need to know anything about it. It doesn't need to look at it. uh It just would need to ship it in the in the handshake or in a lot alongside the certificate message, because this block of data only changes when uh at most as frequently as when the certificate itself has to change.

J

So ben, I think, uh there's a little bit more subtlety here. It has to change more frequently than that it has to change uh as uh ttls and rs things on the time scale of of of those things in the chain right, it's a full chain.

J

So it's not just the tlsa record in the um in the leaf zone, but it's all the records above it too.

D

J

D

Has to be, I mean not that.

J

It's not doable, but I mean something has to like periodically regenerate the claim the chain for the client right.

D

J

The client is doing it itself, which may or may not be a computational burden for them, or some out of band thing is doing it for them.

D

uh Yeah, okay, I see, I see your point here. You can actually rotate the the in the sense, the intermediate keys more frequently than you rotate the leaf keys. That seems a little weird, but but you can do that and then.

J

Yeah I mean in theory, you have to be prepared for the possibility that could it could happen right, which means you want to be able to always ship a reasonably uh fresh um tls chain, always right to prevent those kind of problems.

D

Okay, that's interesting.

B

Typically, the upper tree is longer longer signatures, but yeah.

J

I agree typically typically longer it may not be an issue, but uh it's like there's no guarantee of that in the general things I think.

D

Okay, uh thanks for helping me understand that uh any my my view here is, that um is that we want shipping a chain to be something that servers can require essentially a profile of of this whole system, um so that uh I don't think it has to be mandatory.

D

uh But I think servers should essentially be able to mandate it for some population of clients that they work with.

J

Okay, yeah, I think I think that's that's a reasonable thing to suggest.

B

uh Victor and if I could um beg you to give an explanation at the same time of the difference between tlsa expiry versus signature versus expiry, because there's discussion in the chat, and so I think we might actually clear up some of the chat discussion. If you want to go over.

F

F

uh So to uh clear that up, uh yes, the client needs to actually, if it's gonna send the change, it would need to regenerate frequently, because one of the most essential elements in that chain is the rrsig over the client's tlsa records and while the client's public key may be stable for days weeks months years, the rsig over that key from the signing zone should really only have validity at most a couple of weeks, maybe a month, and so the client would need to refresh that data from time to time needed to be on every exchange.

F

But it would need to do it periodically and well in advance of the expiration of the resource record signatures on this data that it obtains at some point and needs to again have a fresh copy of uh every uh realistically every few hours uh I signed records for one hour. uh The um I don't know if that's enough, uh but uh yeah.

J

F

J

F

Of this of this data, the rest is fairly stable.

J

Yeah, so just to elaborate on that point uh victor it's! If even if nothing else, changes the rrsig's inception and expiration parameters will change right, those will gradually.

D

J

And those are part of the data over which the is computed.

F

Right, uh well, there are six, are the signatures? Then they're? Not you, you don't sign our rsigs.

J

But yes, uh but the dates yes, uh yeah.

F

Yeah I mean the.

J

Rsigma, the metadata of the rrc.

F

J

Included as part of the signature right.

F

And- and those should not be- you know, ietf.org aside, which signs for one year uh is a bad example, the rest of the world science signs for much less time.

F

One thing I wanted to point out in terms of this slide and the various extensions going back and forth is that in fact, a lot of this signaling could be embedded in existing signaling, in the sense that if we wanted to go down that route, when the server lists a client certificate, it sends a list of acceptable ca names.

F

Ca names are subject, dms and subject, dns have components, you know ous and countries and all that kind of stuff, uh and there could certainly be a format for the subject. The ends of the case that the server requests that essentially implies a dns namespace and could even you know, say you know. I want a client credential issued by essentially gained from this domain, and that could be a form of you know, x, 509 name. All we need to do is get an o it. uh uh You know it's a free.

F

We could, you know, write one down on a napkin and you know, and then we have a way of signaling uh that you want if that name component appears in the certificate list from the server. That means that the server is willing to accept dane identities from this portion of the dns tree and similarly the client certificate uh could in at least in the use cases where uh the tlsa records are of the dane ee variety right. Three, uh you know just just carry a public key.

F

Essentially, the client can mint its own certificate on the fly right, because all it's presenting is a public key and then it can embed in that certificate. Any name it chooses at that point in time or has chosen recently, so it can again signal its name in a freshly baked cert uh to indicate you know I am so and so at such and such a domain, so there's lots of opportunities to move the signaling from extensions into bits of you know certificate like metadata that we could consider, uh if appropriate,.

B

It would be well worth writing up an example vector and sending to the mailing list so that people can read it over. I think that's a really good point.

F

And at some point I may think harder and deeper about the role of an architecture in which we have things like kdc's uh mediating, multi-hop interactions here uh and then we potentially take advantage of existing uh protocols. There maybe even get advantages in terms of uh post quantum and so on. If kdc's negotiate symmetric keys with each other periodically, then we can use symmetric keying for bunches of this anyway, all kinds of interesting stuff to research but yep.

J

Later yeah sounds good, so I think dkg brought that up well, I think it's certainly worth investigating whether we can provide the dane uh signal inside the uh certificate itself rather than in the certificate extension.

J

Oh yeah, so yeah.

B

Are there any other uh questions or people that want to join the queue about the solution? Documents of these?

B

We have plenty of time left. We still have 20 minutes left only.

B

No audio from you.

B

I think I saw bars nope.

B

J

Maybe have ollie type type his question into the chat.

B

You could do that and we could relay it. Certainly.

B

You know we have microphone problems in physical rooms too, right.

B

All right, anybody else uh have comments.

B

So far, otherwise, we'll probably dive into next steps and probably whenever you're ready.

B

Microphone's there you don't need a request. Just talk.

B

Oh, you are super quiet. I actually hear something now.

J

Yeah, I can hear you extremely faintly, though.

L

That is weird I just wanted to point. The name space needs to be discussed. I have a discussion with the nes folks and uh they want us to look into the name space so we'll build that in s3 if possible, but that's something we can discuss later.

J

Okay, so I I heard uh I think I heard namespace uh needs to be discussed is. Did I get that right? I was having a lot of difficulty.

B

Yeah, I think that that.

J

B

Of it ollie could you could you actually just type your comment in jabber just so we can record it in minutes if nothing else, but I think that's a valid point, and we sort of mentioned that earlier as well.

B

Okay, all right! If there is nobody else, joining the queue, I will talk for a few seconds to make sure that nobody else joins the queue um yes and the name space needs to be discussed so that we build a tree instead of a flat namespace.

B

Okay dog point: uh nope nobody's joining the queue. So the next question I think to the participants in general is at what point we want to consider adopting these documents. I believe, schumann, that you have said. You believe that the two solution documents are functionally ready. If the working group uh feels that that is the case, is that correct.

J

uh Yeah, I think so I mean they may not be complete, but they uh like appropriately address the capabilities that we need for.

B

That right, if you're willing to turn them over and have the working group rip them through, shreds and completely rewrite them, got it okay, yes, right. uh Having said that, does anybody have um opinions uh pro or nay with respect to adopting the two documents, as is as a starting point, paul's back.

A

Back but I've just been muted, because I don't think things will work out for me.

B

uh So let me actually start a poll then um do.

B

Documents are ready for adoption. Note that this is not the architecture document.

B

uh It's a good point, roman I'll, get back to that.

B

So in chat, it would be helpful if people that have read the documents uh would just say red, so that we get a feel that um you know the counts actually match people that have actually done a at least a brief summary and analysis of it. Thank you keep those up.

B

Gotta love english.

B

The fact that read and read are the same, spelling has always just if there was one abomination of this language. It would be that.

B

Yeah that two-ish all right. I think that is a fairly clear consensus that we are trending toward their ready. uh The numbers seem to be mostly stable, so we will end the session there with 22 for rey's hands. One did not raise hand out of 23 total participants.

B

I didn't count the number of people that have read things in this session, but in the jabra session, but it seems to be uh there's quite a bit of people that have read it. So that's a good sign all right.

B

Having said that, I think I'm out of questions unless my illustrious co-chair or ad has specific things they want to bring up.

B

And we can give you back 13 minutes of your day, going once in dkg.

H

uh I just wondered: I saw that one person said this document doesn't seem ready for adoption. I wonder if that person wants to say anything. It just might be worth hearing what they think he's missing.

B

Yep, that's a very good point. Thank you for that. uh If the one person that did not raise their hand wants to de-anonymize, um please uh feel free to come to the mic and explain why you think it's not ready.

B

Understanding that you may not want to de-anonymize- and that is the purpose of a anonymous poll- all right well, uh hopefully, discussion will come up on the mailing list of of what people find issues with the current document, because that's the purpose of editing things as a working group in the first place.

B

So thank you dkg for making sure they had a chance, but otherwise, I think we'll close the inaugural session of the dance working group and we can all take an extra 10 minutes to get some exercise and I suggest dancing it's a great form of exercise.

B

Thanks all see you in 113 thanks all.

B