client certificates in dane tlsa records
TRANSCRIPT
![Page 1: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/1.jpg)
Client Certificates in DANE TLSA Records
Shumon Huque & Viktor Dukhovni
IETF 93, DANE Working Group July 20th 2015, Prague, Czech Republic
![Page 2: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/2.jpg)
https://tools.ietf.org/html/draft-huque-dane-client-cert-01
![Page 3: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/3.jpg)
Client Certificates in DANE TLSA Records
• Owner name format:
_service.<domain-name> IN TLSA <.. rdata ..>
![Page 4: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/4.jpg)
_smtp-client.device1.example.com. IN TLSA ( 3 1 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )
![Page 5: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/5.jpg)
Authentication Model• Client has an identity assigned corresponding to
a DNS domain name.
• Client has a private/public key pair and a certificate binding the domain name to the public key.
• Domain Name + Certificate has a corresponding signed DNS TLSA record
![Page 6: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/6.jpg)
Client identity in Certificate
• Two options, Subject Alternative Name’s:
• dNSName type
• SRVName type
![Page 7: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/7.jpg)
Signaling Client Id• Server may want an explicit indication from the
client that it has a TLSA record, to avoid unnecessary DNS queries in-band with TLS handshake.
• If raw public keys are being used (RFC 7250), the client needs to convey its identity explicitly.
• Some deployed client software reacts badly to unexpected Certificate Request messages.
![Page 8: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/8.jpg)
Signaling Client Id
• A new TLS extension is proposed to convey DNS client identity (I-D will go out in the near future)
![Page 9: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/9.jpg)
Client Requirements• Must have a signed TLSA record published
corresponding to DNS name and X.509 client certificate
• Client’s name must appear in the certificate’s dNSName or SRVname fields of the Subject Alternative Name
• [Future: client uses a TLS extension to signal identity explicitly to the server]
![Page 10: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/10.jpg)
Server Requirements• Send Certificate Request message in TLS handshake.
• Extract client identity from presented certificate.
• Construct DNS query name for corresponding TLSA record.
• Lookup & authenticate TLSA record in DNS.
• Extract rdata of TLSA record and match it to the client certificate.
![Page 11: Client Certificates in DANE TLSA Records](https://reader036.vdocuments.mx/reader036/viewer/2022081807/5884a6301a28ab76798b4c97/html5/thumbnails/11.jpg)
More details
https://tools.ietf.org/html/draft-huque-dane-client-cert-01