On Wed, Jul 29, 2015 at 4:39 AM, Ian Maddison <[email protected]> wrote: > > On 29 Jul 2015, at 08:19, Patrick Ben Koetter <[email protected]> wrote: > > There's no usable client authentication at the moment. > A first draft for client authentication has been published: > > https://datatracker.ietf.org/doc/draft-huque-dane-client-cert/ > > > Thanks. Sorry, I should’ve been clearer, that’s the draft I had in mind, > namely: >
[...] > AFAIK it has also been discussed at the recent IETF meeting. > > That's all there is for the moment. > > > I’m hoping to hear more about this going forward. > > Yes, the draft was presented at the DANE working group meeting at IETF93 in Prague last week. This is primarily geared towards client authentication (via X.509 certificates or raw public keys) in TLS applications. It is probably not a great fit for your originally mentioned use case of authentication and access control at DNS recursive servers which don't typically use TLS today. There are plans in the pipeline to do DNS over TLS between stubs and recursive servers, but even then, there are bootstrapping, circular dependency, and configuration challenges that might not make this draft suitable for that case. For client access control to a recursive server, for now I'd suggest looking at other approaches, e.g. TSIG, IPsec, etc. If in an enterprise environment with a central authentication system, GSS-TSIG might be an option for scalable per-client authentication and access control. All of this could run over TLS in the future for privacy protection. That said, we're hoping to move the TLSA client certificates draft forward. One thing I forgot to do at IETF is to ask the working group chairs to gauge interest in adopting the draft. I will send a separate note about that on list shortly. Shumon Huque.
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
