[Dance] Re: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
"Salz, Rich" <rsalz@akamai.com> Mon, 26 January 2026 15:57 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: dance@mail2.ietf.org
Delivered-To: dance@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CD138AD25422; Mon, 26 Jan 2026 07:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com header.b="Om6c+Ega"; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=akamai365.onmicrosoft.com header.b="W7ieSJv3"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCdF5Mhlh-DT; Mon, 26 Jan 2026 07:57:58 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 85BC8AD2540C; Mon, 26 Jan 2026 07:57:58 -0800 (PST)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 60QFukb6071379; Mon, 26 Jan 2026 15:56:56 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=j3gliydhpXmpyVEGzQhE9F 9ZjP+ucag+zo42dMDyZcw=; b=Om6c+EgatgKhPbf2Am6RHZH0qBmkGsk5Mq6qNa lI1HNfZfMPZ8yW6aLRwjCQ0zdHHiDC7aCq3Gd4S6bNRv3i+douVGykrLMe7Eaa91 s7yz2T4xe1j3hGw5XDBO86DsUrm8eDkHd/6dD5nGNuhzj+5IzI9cAXr/hNSz5t3G hc9cGQDlU7xc1jYNdNyedat/t0grmTUQT01r76oQC2LbrrOgwBxYJkw/kIi7remC VBdzz4SVN4QDeUtqTNPzqffp8HFU6TSc0wkHTe9YwcXGS4yxIi0ValC+RVKBvEhk jvRLD8S8TGw3W/w0v5+PKSiEQ3sdfND4ewKabrlI6+bjYGcQ==
Received: from prod-mail-ppoint3 (a72-247-45-31.deploy.static.akamaitechnologies.com [72.247.45.31] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 4bvq4u4jm0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Jan 2026 15:56:56 +0000 (GMT)
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 60QBKQIT022003; Mon, 26 Jan 2026 10:56:55 -0500
Received: from email.msg.corp.akamai.com ([172.27.50.220]) by prod-mail-ppoint3.akamai.com (PPS) with ESMTPS id 4bwbv5swf5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 26 Jan 2026 10:56:55 -0500
Received: from ustx2ex-exedge3.msg.corp.akamai.com (172.27.50.214) by ustx2ex-dag5mb3.msg.corp.akamai.com (172.27.50.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.29; Mon, 26 Jan 2026 07:56:55 -0800
Received: from ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) by ustx2ex-exedge3.msg.corp.akamai.com (172.27.50.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27; Mon, 26 Jan 2026 09:56:55 -0600
Received: from CO1PR07CU001.outbound.protection.outlook.com (72.247.45.132) by ustx2ex-exedge4.msg.corp.akamai.com (172.27.50.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.27 via Frontend Transport; Mon, 26 Jan 2026 07:56:55 -0800
Received: from MN2PR17MB4031.namprd17.prod.outlook.com (2603:10b6:208:200::22) by SA3PR17MB7106.namprd17.prod.outlook.com (2603:10b6:806:382::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9542.15; Mon, 26 Jan 2026 15:56:52 +0000
Received: from MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4082:17d0:7c11:1730]) by MN2PR17MB4031.namprd17.prod.outlook.com ([fe80::4082:17d0:7c11:1730%4]) with mapi id 15.20.9542.015; Mon, 26 Jan 2026 15:56:52 +0000
From: "Salz, Rich" <rsalz@akamai.com>
To: Shumon Huque <shuque@gmail.com>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
Thread-Index: AQHcjtoGm0cX6ugd1Uejyjk6dCVo8LVkl70I
Date: Mon, 26 Jan 2026 15:56:52 +0000
Message-ID: <MN2PR17MB4031E3807DE7137A169C2E24CD93A@MN2PR17MB4031.namprd17.prod.outlook.com>
References: <176529902699.1146491.1360588667931244217@dt-datatracker-5bd94c585b-wk4l4> <CABcZeBOCNZf-mYJ2DM1YTnUAYpvtyc5Ba2qQ6aOmsYhS1y5fvA@mail.gmail.com> <CAHPuVdV4TvP4kHsEC=7K5QNFZUktYCRU44LqJr33fzB5Md+Q1Q@mail.gmail.com>
In-Reply-To: <CAHPuVdV4TvP4kHsEC=7K5QNFZUktYCRU44LqJr33fzB5Md+Q1Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR17MB4031:EE_|SA3PR17MB7106:EE_
x-ms-office365-filtering-correlation-id: 9cd81ba0-6d63-4988-e567-08de5cf385a7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|1800799024|376014|366016|38070700021|8096899003;
x-microsoft-antispam-message-info: MNlKiVRLj8SujpvhNddBmN1VAeDKuzXVgUb1KHvpFVNw5D7QgjtZXTobVs/jLLysQbGmeTOM8eGehBbxqqBGVWz80VGcYcIutpZMCPslLjveaiV6UyMyiEONvFN+1nTgCM4qA/RvWqQbDGXOAhTEc2GF6cs1C89McZ1A6F37BjECMfW2Nyr/o0L4BhwnKsp7oio1Ry9PbcEaHelAfvqscUhGvbXgBeJP76+t6pMp9B7hXQT+KjJK/Su8jYdpOLrmjGNHnDcmAHdSidxey9ksL6JkruXiM8I6rGl3YfZt2nCOVVhDOw7EwrLvDqDvQSfL/FJjp5EMKOhABWaQGAlDoUWoYFuGhGphX1lzYGS9RMELWZQrTA5QmvZZ6zcFLNWBvxcNLlfsDbPS99xaXg4fPXZIh5VqalZn1WIvPnd/NKj658QvCjZSoZ7L2YpKhsa0o9Lgrvfj5qYzpQ2t/e+IbBTF1Dp4z+I68QrWv1PZfdV4PmrAnsoSU1Ec2KEvgMRvWKI08fFGI6QxO69YtcNCr6aegm6KW3Be2bEvX6Th8rtHxTlk6cs4C5klRdzFKS8xitOZpmvfiqVn+tredCvXhXNCZT2ghQQ1iDOYPBqQ3mfFnJEnyjSBkEmXd29IDR28qBAo0YiZYmXjXLHVwSrP4wS51zLJNs/49fOfiXFrEhRFYW3cyfvKVVqlk8ek1A+4q64eOOOCAKty7U5Ab2urN/+/jECCJVMw5Dmcaj0vy4+XyiEglPcMXhQBm2NNXfIuY2FgNOsI/5cmt5FEto6OffUkM9L01hyBeMEWuu/Pn5/N54iI8NthZBHB6dZfEbyLmQuJ8yV4s/lG+RLS2XU2hD5BxSJII8GQfVHiEeyvcWsaXhSN+PFd0877ehG5TgQ+1sP7AWQdvv0asm9KBeAYcr6z+xhEHiK+uDneJpixy86+eydg4sLPcNTIpN7qlreOtQBAvu/L64RvBLaykADEw04O2w7YvDS3UondxrqLc7O14Ttf3g8YRhsZkl6b1zmiXtIKKgl3ujdm4ZwbPGUE7Zx2TbNoIxjU6M5KocI81XtCNn8ynDmcnlQ47/i7jFfZLmBKfk3dv13E6qCWe+eO3t+liIivVkY88HB4TSnthpVaIh//BGpQ/6Fp7kNEVqOi/zAuzOs56eoWIT6orxISultX2YV9FhmR5+u5QfFmWukuEqkkoEhVZQb7Qk2XCLkh0VckBVfd6GNfNNXMVJ+YmoJQouaRTOQ07MU1jbX5s+VdlfK9ydvSW2IYcGORPD0sZBthqBfxBfJcL6D85jOTdmnVk5QES/55fwYoYpWmbTNywyHBUv+vhJQHwI/XpLsQg7CHsnkTZjWV1LQMZvJ8JK6C7ac8hmXPWNzadln715k4iguOE2BGRZ+kjKW06TXDFsZ05XVcKxC8PgbLt2ij1+Ao0mI8NfFYYsNj48id7c1WwHTOlV0reAEVz1fVwDl5Y1F5bkkngN6+dxMdZ039ZQfCFhy+lQBnNcOcWxsxgB7hC+HrAE6umogBLwzpGE7c2Kfi2UXVb6QRZEBP/WLaWba/OO9azfRkSv3NHgzdD+yXnaUXvSbs50a1T1jE9Gtc2yxmDcKVkP6AxxrxV+FBdV0NtFYW4xGnXASvbg9zON0=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR17MB4031.namprd17.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(376014)(366016)(38070700021)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: 7c0l+WV9tvsgVSSTqov4pU2+tCGrH454XNy7JzoIYiOEDbKp8rcSavZQVpAVHLRLofETAHXLwcIsgALfyFoPUhNPrmgOZPYV7pQmGHYT65t2AcivLMDbW7rX10advgG9ssoOUakQTFlJiCw2tiJcCbedWtSvQTGlF9OpujhTIOGLpmi1j4ouO8JrhV9dOQCtDOO7VlWw43TEioWDMBJrkEteotFryV0CmlOlxXgVQEHcsj8aCVVbbenCgo81kd+wVJq7/szBKw2dm692qZliVNQFXXBpxMCMagNMRJTBxnP2Tpr12LjJxRCbAkmF5wSZVyFMkmbhuSMTW43QjFsu5yjASzTej+N+BwySsP9uzWMaa8aGDQXkrr0qbk1d9tM0xaQDV94xsqVMP/bKNApoDoPgoWjCEDk3DbcUhKuupbfT1KfcaAnUsSKbIuGlutHRafWDIAr85lTjS3hWJYMIuctN7C8q44yvVtifiAZ6xjTe7b2npvleaBMV7jcA2wHjK/BMzxme495/8GsO+ukkCXjuRF03oz/Tj84z1EvgN6COa38BiWIsbQVj+EhoG+Ith/7yGfUQgsSjd63VctMhDmatByq45Qerz69rNvNcG/v9CKQSgwo9Uh/TlhdQ/otSNEzSCswrNwtsXAtlrVhYOr3JUa3I4Ex94X2Je3Tas29/I+bCbVJLw+jQp66kiH7fG3vh+qykN1FrFkfxSYwGa7V6daTmNn5EzadiLQ8/af+kWfkEZlH+Nrs/3GWmAyvs4Lv6bZF9SbGVfgWMdpIzi4pWnY0ZCpz5rO8tWBGZKOCEwtAOQ4gqeBa52aBFiCu+4S+EdBpe2V5Uk98DZYo/ToVb+sLmUyK6p0NRqHZ0+Nev8Oc00+MPBkiAbUs2sxk977BSG3ZlGWzBtTjmLH+ogAg9GTbx1VpwMIuHRndlcCZwEKRpO8xtl0mQGrX/LaL3fRp8WP9O9w/NsLWbFtElFisydl844xmVvI1RYNxvnGYfrmAqtDK7KbVqHv3TAUB2DOXqAZaN2lSgwmeTWcsH7Ej9XLqEAqsh1O9mv/v22GT2lRWkcmsyelm3l6sHrgCD39M50FGNM1e5ewydup2YUr2OLgjx/UxR6FI6GO1NBmDq7UxOAaru2wszCFemwcc9HJqAMSmMUVr8NP2U8QwV9hXxoMC6N8JHZbHVlCOF8uHMz+V5oKDHPEo7qTs2onTwuO4HA5T6gSqRlpRe/aL286z9/70Yx+XQ3tLyLsPfkiFtHDRUHTZsom2+/BCwQ+jhhDs6/mPD9rhz89rvaG+3GoNwB/IMenDOcXx3rJLzCz2cNbGtg5x6SvRBaUKj27BXDRDjp89Uof7iImXMx/qXIHJQdXXdb3QW5QPha5mSMIklnN98ONSz9dDzkuBpFl4S9nnmb7LBs5X/DLe0zxiism8bFjbmCPCrx7BNjYQ5uy2OD7NsoL1+Te6J7tG/eEvc2HTHprUiJD1aPV8LMv8V0xL+3nDKC2zXL5xGl78lIYRegUydfpKQoBMP4ULrLZX04dhtOb7nAxn9RPgzKlUjAES6NJ3CuZeENQp94Y0iGrlFCEblMHqQ4yQyKo0BEdQr++6u1outcvixa1i+UxbsFhXmulgWGHXTmbquL2wu48W6yU8vQPr5arbrpXznPKVVv1VWGktympYEpLphJ3dwfwd94lZOHtIg8fH5yOCUAeROpRgsnF8kYbalyoT6qwVZRXRruSv++85r35ewwRNibssKlDvgcz+qT+oeZTGczEAQGUd0kkiIuDvyPmsF0TF2bpufdwEj
x-ms-exchange-antispam-messagedata-1: O51Ga6vbQxaTOw==
arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TBEe4GSfoBv+j171GRnS4E9ByWjL0rOatGWVQk56robgE6hF2lk0bKl/TVE4Ed/C7A6Kv6sQo799x6BwwnfDDVRKNCYdJQKnxnTuw5TZC91kVtgPH19LLqRNSZtXV1+NumXBtArYojIT0MbiFZ3ryndwmKV6vixkEuuwvv+kWBHDMv/+CUeqdILdWRNVFlzYLRT0Gx1XWvsB96XEnTAysCJGVVqYttIhnZGwqlB9uPlfx7Q9jawt9ccjh6TyXOSeG3hyqnK/Ae6GXfwANLv4FOjD7Iz2oz/Iv8bjT+JmSvsYDbWMcW6bmgJK9k9WJmpDpYIuYxYnd+0M51baXw1pVg==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x+tTxFeMaSvkBl71gYVqhHdA20GGIHfspNLByQVeVTE=; b=S6VT7dSjlkLba+BzoNQ0B81U0TmdPwn3dYON8lZoDuBvNjVvOj1gNw0Se5kQJCjJ+4lmRXnaoEmBowxsmwTWLKiRY+3wEkeTaUfjKGlP3AOnjCGBdf097hlneWOvkJoxgePECaRyKxqcPimYeSz0UEGIL4e0XZ0DIzd8MRJlQNsGScH2mQ1aPZQH4tSkk4UV8Ui8scyrmsMqw0sPOAqU/KDPu4ETuGzKcaZ+UjOpdRpt1M6WrKMAM/4DQdRvMK+RmQlKUMROO8xl5iOaTMbjD6xzVBiQ9xPoRwwvB3HoxPdf6ZMOPKlqN11nZSxpHSeHIzaJi/VwHufprwzR6vinPQ==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=akamai.com; dmarc=pass action=none header.from=akamai.com; dkim=pass header.d=akamai.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai365.onmicrosoft.com; s=selector1-akamai365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x+tTxFeMaSvkBl71gYVqhHdA20GGIHfspNLByQVeVTE=; b=W7ieSJv3Y5MBLy+IUOox2FXJrazyX90ahnMaQsVqEMog0LIfwa/6kzv94eCxyDUwWTv8rFZY89SoRwn5ZWB7ZLkJZDMDQ+UAqDsajh/kRL5gxioEsPNzjfpgwDb87f0SQsRI3pvqfFDNA2b3zMRoP8HYGjhQrV1UmLzM+1a3fCc=
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR17MB4031.namprd17.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 9cd81ba0-6d63-4988-e567-08de5cf385a7
x-ms-exchange-crosstenant-originalarrivaltime: 26 Jan 2026 15:56:52.2118 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 514876bd-5965-4b40-b0c8-e336cf72c743
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: NGANTJ6s438uu0ca+AR3Uco0I44/PSGmOhFQU3gi/mBU33j2in7lBGmWzz+7dMerJlwlshX/CgnAtztbUJU51A==
x-ms-exchange-transport-crosstenantheadersstamped: SA3PR17MB7106
Content-Type: multipart/alternative; boundary="_000_MN2PR17MB4031E3807DE7137A169C2E24CD93AMN2PR17MB4031namp_"
MIME-Version: 1.0
X-OriginatorOrg: akamai.com
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.20,FMLib:17.12.100.49 definitions=2026-01-26_03,2026-01-26_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxscore=0 adultscore=0 malwarescore=0 bulkscore=0 suspectscore=0 phishscore=0 mlxlogscore=983 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2601150000 definitions=main-2601260135
X-Authority-Analysis: v=2.4 cv=AvLjHe9P c=1 sm=1 tr=0 ts=69778ec8 cx=c_pps a=x6EWYSa6xQJ7sIVSrxzgOQ==:117 a=x6EWYSa6xQJ7sIVSrxzgOQ==:17 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=vUbySO9Y5rIA:10 a=g1y_e2JewP0A:10 a=VkNPw1HP01LnGYTKEx00:22 a=rZNVVH34dkyc_Kr6qI8A:9 a=pILNOxqGKmIA:10 a=q_icdNp22Um3K-0rqIoA:9 a=t2Shq_8iSOe30Khf:21 a=_W_S_7VecoQA:10
X-Proofpoint-GUID: 3hvr_-KbEKrNzLkn1IS3V_uPC9lqyXWb
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTI2MDEzNiBTYWx0ZWRfX3VaaAqVuzEAY 6MZOjMYrN+1QYPTsUFPtcZUnYa8qcFN5PkB6/hmHtAbaNsV82GZ5iGnhvdeNfduxT55wvWJewIY N+oablc0tcDVzNVyGizCn+/rJPaIpxqwaYuj7sDBoT2a1yQyD16BOOOQwqqTL0h3LoLx3Q7gVB7 weN9fJfQHMVO3KhE6N68oUwVXgfwFwhNo1CrrfLesTahR9XY198nvLU9g7wiamPh3um+4qjeH4K W04M46VTd9oqRvARna0xGEviEtsic6kEnWhP7Vd3PoSTKGyqC73SnOv6pi3//0YklFKyIUpluyx QqU1+k766i6/ZFeNG7+hHCBsxk7sAiUlFkmjr3K0AdWYPbUgD95Y+xqDLyz9xJlV0nt6PN9Ffi3 gDdjt+JC2bFQGjrTAU5aNf1kuKOF/7T94IWISPvJRxvRuFRv6lnUIPezT2EE9H+hCQkSM7rLj7R eIrJDg+Uy2q0NNWtTsg==
X-Proofpoint-ORIG-GUID: 3hvr_-KbEKrNzLkn1IS3V_uPC9lqyXWb
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.20,FMLib:17.12.100.49 definitions=2026-01-26_03,2026-01-26_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 malwarescore=0 priorityscore=1501 bulkscore=0 suspectscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 adultscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2601260136
Message-ID-Hash: 7CLZC5PU6GYWKE7G6ZJ5XHJ5VHKUEQHA
X-Message-ID-Hash: 7CLZC5PU6GYWKE7G6ZJ5XHJ5VHKUEQHA
X-MailFrom: rsalz@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "last-call@ietf.org" <last-call@ietf.org>, "dance-chairs@ietf.org" <dance-chairs@ietf.org>, "dance@ietf.org" <dance@ietf.org>, "draft-ietf-dance-client-auth@ietf.org" <draft-ietf-dance-client-auth@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, TLS WG <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Dance] Re: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
List-Id: DANE Authentication for Network Clients Everywhere <dance.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dance/QgBylQSeLTOilPmA-e63jPf9A7g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dance>
List-Help: <mailto:dance-request@ietf.org?subject=help>
List-Owner: <mailto:dance-owner@ietf.org>
List-Post: <mailto:dance@ietf.org>
List-Subscribe: <mailto:dance-join@ietf.org>
List-Unsubscribe: <mailto:dance-leave@ietf.org>
* Thanks for the review Eric. Yes, we should have looped in the TLS * working group earlier. (I've cc'd them). Thanks for that. * This draft's origin predated TLS 1.3, and earlier work on it happened when * TLS 1.3 wasn't as widely deployed as it is now. Yes, had TLS WG been involved earlier, it would have been better known I guess :) * I would be inclined to just remove TLS 1.2 support from the specification, if * there is agreement. You will have to do that, since the extension can ONLY be registered for TLS 1.3 * > This has the effect of revealing the client's identity on the wire. * It does, I guess unless encrypted DNS transport is being used. * A number of other protocol mechanisms already have similar problems, * don't they, like TLS client's lookup of SVCB records for ECH, etc, if * not done with encrypted DNS transport. A client looking up SVCB records does not expose the client’s identity. EKR pointed out that this doc explicitly has the server look up the client identity. > At one point we had considered whether the client should look up > its own DANE information and send it in an extension (the opposite > form of RFC 9102: TLS DNSSEC chain extension), but decided that this >might be too much complexity to impose on the client, particularly since >some of them might be resource constrained. That topic could be revisited. I think you should. A key point of TLS 1.3 is not to expose the client identity. As a bare minimum, if no changes are made, the security considerations should make this exposure explicit. >could also probably shore up the language to mandate the use >of the extension (non-empty), instead of allowing it to be omitted >if the certificate only has one dns SAN identifier. That seems like a good idea. >> Below you say that the client MUST supply the client identity >> extension if there are >1 SANs but what is the server to do >> if the client does not? >The server should abort the connection with an error (and maybe >a tailored TLS alert needs to be defined). You probably do not want a custom alert as that gives out too much information.
- [Dance] Last Call: <draft-ietf-dance-client-auth-… The IESG
- [Dance] Re: Last Call: <draft-ietf-dance-client-a… Eric Rescorla
- [Dance] Re: Last Call: <draft-ietf-dance-client-a… Muhammad Usama Sardar
- [Dance] Re: Last Call: <draft-ietf-dance-client-a… Shumon Huque
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Salz, Rich
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Shumon Huque
- [Dance] Re: Last Call: <draft-ietf-dance-client-a… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Muhammad Usama Sardar
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Paul Wouters
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Salz, Rich
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Paul Wouters
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Muhammad Usama Sardar
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Muhammad Usama Sardar
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Shumon Huque
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Muhammad Usama Sardar
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Eric Rescorla
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Paul Wouters
- [Dance] Re: [Last-Call] Re: [TLS] Re: Last Call: … Salz, Rich
- [Dance] Re: [TLS] Re: Last Call: <draft-ietf-danc… Paul Wouters