Re: Report on preliminary decision on TLS 1.3 and client auth

Martin Thomson <> Fri, 25 September 2015 17:36 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 832F21A86EE for <>; Fri, 25 Sep 2015 10:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KyuJqCtn7ptd for <>; Fri, 25 Sep 2015 10:36:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2F40D1A8035 for <>; Fri, 25 Sep 2015 10:36:22 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1ZfWs6-00034s-IX for; Fri, 25 Sep 2015 17:33:22 +0000
Resent-Date: Fri, 25 Sep 2015 17:33:22 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1ZfWs1-000342-B3 for; Fri, 25 Sep 2015 17:33:17 +0000
Received: from ([]) by with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <>) id 1ZfWrz-00047K-PJ for; Fri, 25 Sep 2015 17:33:16 +0000
Received: by ykdt18 with SMTP id t18so121587975ykd.3 for <>; Fri, 25 Sep 2015 10:32:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UTzU6VE9A5fdK7ngu3mfbNk82w7J5chdgr5YinkAqL0=; b=0wTbQGTu38YKCrmNfGdRdg+fWpYl+Dx+qULYHc0gkOlKG0rQqLxT3zsXK1YuKreeZT I8zLgFPpUnxdsYutnA95BPEByV3pSjEDGw2Av9zVRW1myUcB6GwizOIjWeGMN7KRbstg WS1GYmTqMwdl5ZRjDka/TFAkAtSGRUkvH7obeSpCOIb1Y7fFeboWCdvh8FXHNBsacodF /COs077GdxcWQd6NRgboRYHTdlOVGAbbv4hD+F1n50TYh13PNXqXE6elMblkPO048Nj0 EnEnvBmHzB93f+mB68PHGLu3gWcl+QAEpc91XsBR5/a1XTCuCU+vY5EcgtmL2oFLFz+f SjBQ==
MIME-Version: 1.0
X-Received: by with SMTP id p1mr5703898ykd.101.1443202369798; Fri, 25 Sep 2015 10:32:49 -0700 (PDT)
Received: by with HTTP; Fri, 25 Sep 2015 10:32:49 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Date: Fri, 25 Sep 2015 10:32:49 -0700
Message-ID: <>
From: Martin Thomson <>
To: Poul-Henning Kamp <>
Cc: Yoav Nir <>, Amos Jeffries <>, HTTP Working Group <>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-7.9
X-W3C-Hub-Spam-Report: AWL=1.841, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1ZfWrz-00047K-PJ 525f68332b2bbcadf2126a6f039b27e5
Subject: Re: Report on preliminary decision on TLS 1.3 and client auth
Archived-At: <>
X-Mailing-List: <> archive/latest/30278
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 25 September 2015 at 10:20, Poul-Henning Kamp <> wrote:
> I think in the current climate, we have a lot of lattitude for
> doing things right, and telling people why they should migrate
> to something safer, so we should seriously consider skipping
> the workarounds and aim for something that will hold up well
> under pressure.

I want to do that to, but if that generates too much incentive to
remain on old protocols, I don't think that is the only thing we can

Note that there are a lot of alternatives out there already.  For
instance, the widely deployed OAuth-based systems.  There are some
small differences in their security properties, which might be

However, I confess that I don't know whether that is a consideration
as much as pure inertia.  Maybe application developers that use client
certificates really like the fact that they have terrible privacy

Either way, I don't believe that we get to play the dictator here.
People will do what they feel that they need to.  If we don't help,
they will implement options that are even worse than those that I