DNS-based Authentication of Named Entities (dane) Concluded WG

Note: The data for concluded WGs is occasionally incorrect.

Charter for Working Group

DANE is a set of mechanisms and techniques that allow Internet

applications to establish cryptographically secured communications

by using information made available in DNS. By binding the key

information to a domain name and protecting that binding with

DNSSEC, applications can easily discover authenticated keys for

services.

Objective:

The DANE WG will specify how to incorporate DANE and DANE-like

functionality into protocols. The WG will specify the use of DANE

for protocols that use SRV to express service location. The WG will

specify DANE use for SMTP, SMIME, OPENPGP, IPSEC and

other base electronic mail protocols such as (IMAP or POP). The

DANE WG shall also produce a set of implementation guidance

for operators and tool developers.

When work on currently chartered documents is complete the WG

may re-charter if sufficiently pressing new work is identified.

DANE is not intended to be a long-lived catch-all WG for all

public key distribution in DNS issues and so will generally not

adopt new work items without re-chartering.

Problem Statement:

The DANE working group has developed a framework for securely

retrieving keying information from the DNS [RFC6698]. This

framework allows secure storing and looking up server public key

information in the DNS. This provides a binding between a domain

name providing a particular service and the key that can be used

to establish encrypted connection to that service.

By requiring DNSSEC protection for the lookup of the public key

information, DANE leverages the integrity protection provided by

DNSSEC to enable secure discovery of keying information. Operators

wanting to take advantage of DANE for their services must turn on

DNSSEC signing on the zones used in finding the services. Using

DNS this way, bindings of keys to domains are asserted by the

entities that operate the DNS for that domain, not by external

entities.

The DANE mechanisms provide flexibility in how the keying

information is presented. DANE supports both Certificates and raw

keys. Furthermore, the keys (raw or imbedded in certificates) can be

full keys or a hashes of keys.

The group will work on documenting the different approaches to use

DANE keying, and the security implication of each. In addition

the WG may develop a framework(s) to facilitate the lookup "client"

DANE records for authorization/authentication purposes.

The group may also create documents that describe how protocol

entities can discover and validate these bindings in the execution

of specific applications. This work would be done in coordination

with the IETF Working Groups responsible for the protocols.

The group may in addition encourage interoperability testing and

document the results of such testing.

Milestones

Date Milestone 1 Oct 2016 Recharter or close down 1 Dec 2015 Advance DANE reverse binding (server to client) document to IESG 1 Dec 2015 Advance DANE IPSEC document to IESG 1 Sep 2015 Advance DANE SMIME document to IESG 1 Aug 2015 Advance DANE operational guidance/errata document to IESG

Done milestones

Date Milestone Done Advance DANE OPENPGP document to IESG Done Advance DANE SMTP document to IESG Done Advance DANE SRV document to IESG

1 new milestone currently in Area Director review.