DNS-based Authentication of Named Entities (dane)

• About
• Documents
• Meetings
• History
• Photos
• Email expansions
• List archive
• Tools »

WG	Name		DNS-based Authentication of Named Entities
	Acronym		dane
	Area		Security Area (sec)
	State		Active In the process of being closed
	Charter		charter-ietf-dane-02 Approved
	Status Update		Show update (last changed 2016-04-07)
	Dependencies		Document dependency graph (SVG)
	Additional URLs		Wiki Issue tracker
Personnel	Chairs		Ólafur Guðmundsson Warren Kumari
	Area Director		Stephen Farrell
	Secretary		Matt Lepinski
Mailing list	Address		dane@ietf.org
	To subscribe		https://www.ietf.org/mailman/listinfo/dane
	Archive		https://mailarchive.ietf.org/arch/browse/dane/
Jabber chat	Room address		xmpp:dane@jabber.ietf.org?join
	Logs		https://jabber.ietf.org/logs/dane/

Charter for Working Group

DANE is a set of mechanisms and techniques that allow Internet
applications to establish cryptographically secured communications
by using information made available in DNS. By binding the key
information to a domain name and protecting that binding with
DNSSEC, applications can easily discover authenticated keys for
services.

Objective:

The DANE WG will specify how to incorporate DANE and DANE-like
functionality into protocols. The WG will specify the use of DANE
for protocols that use SRV to express service location. The WG will
specify DANE use for SMTP, SMIME, OPENPGP, IPSEC and
other base electronic mail protocols such as (IMAP or POP). The
DANE WG shall also produce a set of implementation guidance
for operators and tool developers.

When work on currently chartered documents is complete the WG
may re-charter if sufficiently pressing new work is identified.

DANE is not intended to be a long-lived catch-all WG for all
public key distribution in DNS issues and so will generally not
adopt new work items without re-chartering.

Problem Statement:

The DANE working group has developed a framework for securely
retrieving keying information from the DNS [RFC6698]. This
framework allows secure storing and looking up server public key
information in the DNS. This provides a binding between a domain
name providing a particular service and the key that can be used
to establish encrypted connection to that service.

By requiring DNSSEC protection for the lookup of the public key
information, DANE leverages the integrity protection provided by
DNSSEC to enable secure discovery of keying information. Operators
wanting to take advantage of DANE for their services must turn on
DNSSEC signing on the zones used in finding the services. Using
DNS this way, bindings of keys to domains are asserted by the
entities that operate the DNS for that domain, not by external
entities.

The DANE mechanisms provide flexibility in how the keying
information is presented. DANE supports both Certificates and raw
keys. Furthermore, the keys (raw or imbedded in certificates) can be
full keys or a hashes of keys.
The group will work on documenting the different approaches to use
DANE keying, and the security implication of each. In addition
the WG may develop a framework(s) to facilitate the lookup "client"
DANE records for authorization/authentication purposes.

The group may also create documents that describe how protocol
entities can discover and validate these bindings in the execution
of specific applications. This work would be done in coordination
with the IETF Working Groups responsible for the protocols.

The group may in addition encourage interoperability testing and
document the results of such testing.

Milestones

Date	Milestone
Oct 2016	Recharter or close down
Dec 2015	Advance DANE reverse binding (server to client) document to IESG
Dec 2015	Advance DANE IPSEC document to IESG
Sep 2015	Advance DANE SMIME document to IESG
Aug 2015	Advance DANE operational guidance/errata document to IESG
Done	Advance DANE OPENPGP document to IESG
Done	Advance DANE SMTP document to IESG
Done	Advance DANE SRV document to IESG

1 new milestone currently in Area Director review.