DANCE

Thursday, 2025-07-24 -- 12:00 local -- 10:00 UTC
Notes: Rich "twisted arm" Salz

All three about to go to IESG:

• draft-ietf-dance-architecture
• draft-ietf-dance-client-auth
• draft-ietf-dance-tls-clientid

draft-hallambaker-dns-dance

• Vision: Every host (light bulb, etc) has a DNS name, even if it's
  not a public name. "Handle Service Provider" new/existing/AV/other
  to provide this kind of service. HSP is open service, so users can
  switch providers (for paid case).

• "What if Internet goes down?" Now need client TLS auth. If
  everything has a DNS name, DANCE is a way to authenticate.

  Paul: Roughly "zero" people have their own DNS name. So unlikely to
  expect my family using "paul.gmail.com" to ever be able to migrate.

  PHB: There are ways to address it (see Bluesky practices, GNS free
  partition, etc). I think the main reason is there's no use for
  general consumer to get a name. I think this creates demand.
  Paul: I got lucky and have easy "nohats" don't think DNS Ncan do
  that.
  Viktor: FB has a billion users, so I'm not skeptical of a billion
  users in a namespace.

• TLS client auth with reasonable name is the obvious tech choice.
  (HSP runs small private CA, probably via ACME; each user has their
  own root). Open questions: how to bind root, cert profile,

  Viktor: At TLS yesterday, discussion of draft for client to tell
  server "ask for my client certificate" You might find it helpful.
  Browsing with Kerberos can be cleaner than webauth, so look at GSS
  model.
  DKG: I think you're asking for a super-cookie. There are downsides
  to having completely friction-free identity system.
  PHB: Those are valid concerns. If people are going to partition
  their identity, it can be done once not every time.
  Q: Be careful about CA's, since they aren't held to same high
  standards of WebPKI root trust stores.
  PHB: Not expecting existing software to use there
  Discussion of X509 nameConstraints, who supported it,
  Wes: This is DANE-based WG, so for off-line use how do you use
  DANE?
  Viktor: Local DNS infrastructure
  PHB: Cache roots; have a device in the user's house to handle this
  (e.g., DNS cache)

• Next steps?

  Viktor: want more details on protocols for me to understand the
  problem. If you're really off-line, time sync is very hard and we
  need time for our protocols.
  PHB: I was told DANCE is shutting down, wanted to get expertise.
  OFf-line/time is a big problem.
  Paul: A problem with DANCE is putting things into DNS that you
  don't want to share.
  PHB: Split-DNS (a records private; ACME records public while
  requesting renewal)
  Paul: SETTLE mailing list
  Jim Reid: Interesting, but not really appropriate for DANCE, lots
  of things in there. Private CA roots in split-DNS terrifies me.
  Maybe progress via mailing list.
  PHB: I
  (Break while I was waiting on the mic line)
  Wes: Maybe come back before existing docs are done with IETF last
  call -- i.e., months.

  Paul as Sec AD: This has been very hard to get work in this WG. Need
  more than just five people interested for it to be believable that
  it would succeeed.