Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client Certificates in DANE TLSA Records

Shumon Huque
July 20, 2015
Technology
0
80

Client Certificates in DANE TLSA Records

Client Certificates in DANE TLSA Records. IETF93 DANE Working Group. Shumon Huque and Viktor Dukhovni.

Shumon Huque

July 20, 2015
Tweet

More Decks by Shumon Huque

See All by Shumon Huque
Delegation Revalidation by DNS Resolvers
shuque
0
35
Improving DNSSEC Provisioning with 3rd Party DNS Providers
shuque
0
34
Whither DANE?
shuque
1
42
Multi-Signer DNSSEC Models
shuque
0
240
Multi-Provider DNSSEC
shuque
1
80
DNSSEC for a Large Enterprise
shuque
0
97
Algorithm Negotiation in DNSSEC?
shuque
0
52
NSEC5: Updated Specification and Implementation Results
shuque
1
87
An Overview of DNS Privacy
shuque
0
81

Other Decks in Technology

See All in Technology
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
210
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
270
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
180
最近たまに見かけるTiDBってなんだ? - Findy
pingcap0315
2
730
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
760
MySQL の SQL クエリチューニングの要所を掴む勉強会
andpad
2
4.7k
Algyan イベント振り返り
linyixian
0
200
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
1
410
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
390
テストプロセスで大事にしていること #jasstnano
makky_tyuyan
0
150
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.8k
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
970

Featured

See All Featured
For a Future-Friendly Web
brad_frost
171
8.9k
Designing for Performance
lara
601
67k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
243
20k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
The Cost Of JavaScript in 2023
addyosmani
14
3.8k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
BBQ
matthewcrist
80
8.8k
Faster Mobile Websites
deanohume
297
30k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
77
42k
How STYLIGHT went responsive
nonsquared
92
4.8k
Practical Orchestrator
shlominoach
181
9.7k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
186
16k

Transcript

  1. Client Certificates in DANE TLSA Records Shumon Huque & Viktor

    Dukhovni IETF 93, DANE Working Group July 20th 2015, Prague, Czech Republic

  2. https://tools.ietf.org/html/draft-huque-dane- client-cert-01

  3. Client Certificates in DANE TLSA Records • Owner name format:

    _service.<domain-name> IN TLSA <.. rdata ..>

  4. _smtp-client.device1.example.com. IN TLSA ( 3 1 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )

  5. Authentication Model • Client has an identity assigned corresponding to

    a DNS domain name. • Client has a private/public key pair and a certificate binding the domain name to the public key. • Domain Name + Certificate has a corresponding signed DNS TLSA record

  6. Client identity in Certificate • Two options, Subject Alternative Name’s:

    • dNSName type • SRVName type

  7. Signaling Client Id • Server may want an explicit indication

    from the client that it has a TLSA record, to avoid unnecessary DNS queries in-band with TLS handshake. • If raw public keys are being used (RFC 7250), the client needs to convey its identity explicitly. • Some deployed client software reacts badly to unexpected Certificate Request messages.

  8. Signaling Client Id • A new TLS extension is proposed

    to convey DNS client identity (I-D will go out in the near future)

  9. Client Requirements • Must have a signed TLSA record published

    corresponding to DNS name and X.509 client certificate • Client’s name must appear in the certificate’s dNSName or SRVname fields of the Subject Alternative Name • [Future: client uses a TLS extension to signal identity explicitly to the server]

  10. Server Requirements • Send Certificate Request message in TLS handshake.

    • Extract client identity from presented certificate. • Construct DNS query name for corresponding TLSA record. • Lookup & authenticate TLSA record in DNS. • Extract rdata of TLSA record and match it to the client certificate.

  11. More details https://tools.ietf.org/html/draft-huque-dane- client-cert-01