Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client Certificates in DANE TLSA Records

Shumon Huque
July 20, 2015
Technology
0
88

Client Certificates in DANE TLSA Records

Client Certificates in DANE TLSA Records. IETF93 DANE Working Group. Shumon Huque and Viktor Dukhovni.

Shumon Huque

July 20, 2015
Tweet

More Decks by Shumon Huque

See All by Shumon Huque
Delegation Revalidation by DNS Resolvers
shuque
0
46
Improving DNSSEC Provisioning with 3rd Party DNS Providers
shuque
0
47
Whither DANE?
shuque
1
48
Multi-Signer DNSSEC Models
shuque
0
320
Multi-Provider DNSSEC
shuque
1
110
DNSSEC for a Large Enterprise
shuque
0
110
Algorithm Negotiation in DNSSEC?
shuque
0
67
NSEC5: Updated Specification and Implementation Results
shuque
1
100
An Overview of DNS Privacy
shuque
0
91

Other Decks in Technology

See All in Technology
複雑なState管理からの脱却
sansantech
PRO
1
140
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
300
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110

Featured

See All Featured
Music & Morning Musume
bryan
46
6.2k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
370
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Done Done
chrislema
181
16k
A Philosophy of Restraint
colly
203
16k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Code Reviewing Like a Champion
maltzj
520
39k
Designing the Hi-DPI Web
ddemaree
280
34k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k

Transcript

  1. Client Certificates in DANE TLSA Records Shumon Huque & Viktor

    Dukhovni IETF 93, DANE Working Group July 20th 2015, Prague, Czech Republic

  2. https://tools.ietf.org/html/draft-huque-dane- client-cert-01

  3. Client Certificates in DANE TLSA Records • Owner name format:

    _service.<domain-name> IN TLSA <.. rdata ..>

  4. _smtp-client.device1.example.com. IN TLSA ( 3 1 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )

  5. Authentication Model • Client has an identity assigned corresponding to

    a DNS domain name. • Client has a private/public key pair and a certificate binding the domain name to the public key. • Domain Name + Certificate has a corresponding signed DNS TLSA record

  6. Client identity in Certificate • Two options, Subject Alternative Name’s:

    • dNSName type • SRVName type

  7. Signaling Client Id • Server may want an explicit indication

    from the client that it has a TLSA record, to avoid unnecessary DNS queries in-band with TLS handshake. • If raw public keys are being used (RFC 7250), the client needs to convey its identity explicitly. • Some deployed client software reacts badly to unexpected Certificate Request messages.

  8. Signaling Client Id • A new TLS extension is proposed

    to convey DNS client identity (I-D will go out in the near future)

  9. Client Requirements • Must have a signed TLSA record published

    corresponding to DNS name and X.509 client certificate • Client’s name must appear in the certificate’s dNSName or SRVname fields of the Subject Alternative Name • [Future: client uses a TLS extension to signal identity explicitly to the server]

  10. Server Requirements • Send Certificate Request message in TLS handshake.

    • Extract client identity from presented certificate. • Construct DNS query name for corresponding TLSA record. • Lookup & authenticate TLSA record in DNS. • Extract rdata of TLSA record and match it to the client certificate.

  11. More details https://tools.ietf.org/html/draft-huque-dane- client-cert-01