DNS-based Authentication of Named Entities
charter-ietf-dane-02

WG review announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: dane WG <dane@ietf.org> 
Subject: WG Review: DNS-based Authentication of Named Entities (dane)

The DNS-based Authentication of Named Entities (dane) working group in
the Security Area of the IETF is undergoing rechartering. The IESG has
not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send
your comments to the IESG mailing list (iesg at ietf.org) by 2014-05-27.

DNS-based Authentication of Named Entities (dane)
------------------------------------------------
Current Status: Active WG

Chairs:
  Warren Kumari <warren@kumari.net>
  Olafur Gudmundsson <ogud@ogud.com>

Secretaries:
  Matt Lepinski <mlepinski.ietf@gmail.com>

Assigned Area Director:
  Stephen Farrell <stephen.farrell@cs.tcd.ie>

Mailing list
  Address: dane@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/dane
  Archive: http://www.ietf.org/mail-archive/web/dane/

Charter:


Objective:

    The DANE WG will process documents that describe how to
    incorporate DANE and DANE-like functionality in protocols, and
    mechanisms to facilitate adoption of this functionality. The DANE
    working group will also assist other working groups with adding
    DANE functionality to their work. In addition the working group
    will monitor and provide guidance to operators and tool developers.
    When work on currently chartered documents is complete the WG
    may re-charter if sufficiently pressing new work is identified.
    DANE is not intended to be a long-lived catch-all WG
    for all PKI in DNS issues and so will generally not adopt new
    work items without re-chartering.

Problem Statement:

    The DANE working group has developed a framework for securely
    retrieving keying information from the DNS [RFC6698]. This
    framework allows secure storing and looking up server public key
    information in the DNS. This provides a binding between a domain
    name providing a particular service and the key that can be used
    to establish encrypted connection to that service.

    By requiring DNSSEC protection for the lookup of the public key
    information, DANE leverages the integrity protection provided by
    DNSSEC to enable secure discovery of keying information. Operators
    wanting to take advantage of DANE for their services must turn on
    DNSSEC signing on the zones used in finding the services. Using
    DNS this way, bindings of keys to domains are asserted by the
entities that 
    operate the DNS for that domain, not by external entities. 

    The DANE mechanisms provide flexibility in how the keying
    information is presented. DANE supports both Certificates and raw
    keys, further more Certificates and raw keys can be either the full
    key or a hash of the key. 
    The group will work on documenting the different approaches to use
    DANE keying, and the security implication of each. In addition
    the WG may develop a framework(s) to facilitate the lookup "client"
DANE 
    records for authorization/authentication purposes. 

    The group may also create documents that describe how protocol
    entities can discover and validate these bindings in the execution
    of specific applications. This work would be done in coordination
    with the IETF Working Groups responsible for the protocols. 

    The group may in addition encourage interoperability testing and
document
    the results of such testing. 






Milestones:
  Jun 2014 - Advance DANE SRV document to IESG
  Jun 2014 - Advance DANE SMTP document to IESG
  Aug 2014 - Advance DANE SMIME document to IESG
  Aug 2014 - Advance DANE OPENPGP document to IESG
  Sep 2014 - Advance DANE operational guidance/errata document to IESG
  Jan 2015 - Advance DANE security model document to IESG
  May 2015 - Advance DANE IPSEC document to IESG
  Jun 2015 - Advance DANE reverse binding (server to client) document to
IESG
  Sep 2015 - Advance DANE RFC6698 and DANE SRV RFC to Internet Standard
  Nov 2015 - Recharter or close down


WG action announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: dane WG <dane@ietf.org> 
Subject: WG Action: Rechartered DNS-based Authentication of Named Entities (dane)

The DNS-based Authentication of Named Entities (dane) working group in
the Security Area of the IETF has been rechartered. For additional
information please contact the Area Directors or the WG Chairs.

DNS-based Authentication of Named Entities (dane)
------------------------------------------------
Current Status: Active WG

Chairs:
  Warren Kumari <warren@kumari.net>
  Olafur Gudmundsson <ogud@ogud.com>

Secretaries:
  Matt Lepinski <mlepinski.ietf@gmail.com>

Assigned Area Director:
  Stephen Farrell <stephen.farrell@cs.tcd.ie>

Mailing list
  Address: dane@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/dane
  Archive: http://www.ietf.org/mail-archive/web/dane/

Charter:

DANE is a set of mechanisms and techniques that allow Internet
applications to establish cryptographically secured communications
by using information made available in DNS. By binding the key 
information to a domain name and protecting that binding with 
DNSSEC, applications can easily discover authenticated keys for 
services.

Objective:

    The DANE WG will specify how to incorporate DANE and DANE-like
    functionality into protocols. The WG will specify the use of DANE 
    for protocols that use SRV to express service location. The WG will 
    specify DANE use for SMTP, SMIME, OPENPGP, IPSEC and  
    other base electronic mail protocols such as (IMAP or POP). The
    DANE WG shall also produce a set of implementation guidance 
    for operators and tool developers. 

    When work on currently chartered documents is complete the WG
    may re-charter if sufficiently pressing new work is identified.

    DANE is not intended to be a long-lived catch-all WG for all 
    public key distribution in DNS issues and so will generally not 
    adopt new work items without re-chartering. 

Problem Statement:

    The DANE working group has developed a framework for securely
    retrieving keying information from the DNS [RFC6698]. This
    framework allows secure storing and looking up server public key
    information in the DNS. This provides a binding between a domain
    name providing a particular service and the key that can be used
    to establish encrypted connection to that service.

    By requiring DNSSEC protection for the lookup of the public key
    information, DANE leverages the integrity protection provided by
    DNSSEC to enable secure discovery of keying information. Operators
    wanting to take advantage of DANE for their services must turn on
    DNSSEC signing on the zones used in finding the services. Using
    DNS this way, bindings of keys to domains are asserted by the 
    entities that operate the DNS for that domain, not by external 
    entities. 

    The DANE mechanisms provide flexibility in how the keying
    information is presented. DANE supports both Certificates and raw
    keys. Furthermore, the keys (raw or imbedded in certificates) can be 
    full keys or a hashes of keys. 
    The group will work on documenting the different approaches to use
    DANE keying, and the security implication of each. In addition
    the WG may develop a framework(s) to facilitate the lookup "client" 
    DANE records for authorization/authentication purposes. 

    The group may also create documents that describe how protocol
    entities can discover and validate these bindings in the execution
    of specific applications. This work would be done in coordination
    with the IETF Working Groups responsible for the protocols. 

    The group may in addition encourage interoperability testing and 
    document the results of such testing. 

Milestones:
  Jun 2014 - Advance DANE SRV document to IESG
  Jun 2014 - Advance DANE SMTP document to IESG
  Aug 2014 - Advance DANE SMIME document to IESG
  Aug 2014 - Advance DANE OPENPGP document to IESG
  Sep 2014 - Advance DANE operational guidance/errata document to IESG
  Jan 2015 - Advance DANE security model document to IESG
  May 2015 - Advance DANE IPSEC document to IESG
  Jun 2015 - Advance DANE reverse binding (server to client) document to
IESG
  Sep 2015 - Advance DANE RFC6698 and DANE SRV RFC to Internet Standard
  Nov 2015 - Recharter or close down


Ballot announcement