Re: [Secdispatch] [EXTERNAL] Re: Requesting agenda time for draft-halen-fed-tls-auth
Stefan Halen <stefan.halen@internetstiftelsen.se> Wed, 13 July 2022 20:59 UTC
Return-Path: <stefan.halen@internetstiftelsen.se>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABA4AC1A5D0A for <secdispatch@ietfa.amsl.com>; Wed, 13 Jul 2022 13:59:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se header.b=MGLDfdvE; dkim=pass (1024-bit key) header.d=internetstiftelsenisverige.onmicrosoft.com header.b=jSirydez
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MBlns0oYWRui for <secdispatch@ietfa.amsl.com>; Wed, 13 Jul 2022 13:59:07 -0700 (PDT)
Received: from relay2.iis.se (relay2.iis.se [IPv6:2001:67c:124c:7317::16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E29BC18873B for <secdispatch@ietf.org>; Wed, 13 Jul 2022 13:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-transfer-encoding:content-id:content-type:in-reply-to: references:message-id:date:subject:cc:to:from:from; bh=Q74WWYlhK2E+NNY9v0FiPSkCEecsrxcVD8xY2B5IyTk=; b=MGLDfdvEQTNqX3XDTSxtKYjr7PMKVqVLtayoeeLgexXHR9L++IVtfj+O0E5IRj2T6WcGyiqGJLjVt lrzxgvc1wbljZOVEyEBOn4+0JhVVurzWSOsKtgmyxwTwV+W+s1CFeXN/Njhqpl2V0dUEWVBdNaRLEf At/yEoVDSFZOW3tU=
Received: from emea01-obe.outbound.protection.outlook.com (mail-swedencentralazlp17010002.outbound.protection.outlook.com [40.93.214.2]) by relay2.iis.se (Halon) with ESMTPS id 8ff8c825-02ee-11ed-a12f-00505682e997; Wed, 13 Jul 2022 20:58:36 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mWRYgSN3XKtQ9PCoXdeCT6g5Z92oF9FmovMqNh+dfk++MmN4nRtBDY4NgRXY+A8axw2wsvouD9lqDol19iiN/tUkOf2iNrykduX/kXNQM4eydGcx6UHtGbZwBjfVPlPL5HM1MYgx5TVF2yYpToVPX06uZAUI5kemApiQ67E3i71WtV8yY8BWCl8wTbpBo9+D5Ta0RHqhyNVzzpnu0ZOBAfGHWIHGrquXsti0+8proqDo7H7x9zeM1Ag+z33RL+LKvcmzb2JzhZ56R2CtPK9bFZAasr1zBQarY4xPaIF0dF4/hUeFHeOUFks+bjpDYVI0M4Rj/ZEiiJKoCjNsE8ntSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Q74WWYlhK2E+NNY9v0FiPSkCEecsrxcVD8xY2B5IyTk=; b=lstVb2rz3taoJ/gQD7mFz17EVxmMSCguksBqnj+TtrcGvAL+PimGvlSneK84EbKtCOQpAHdsnUsqV0wHofxAYeJmvdBFWS2ub2309FKEPCNzlNEsrYeLUj35qHozvup7iX+0UXgWJxLQDOTu00axwVK4Er8/b0IPhNLk2xnvab9DyxSBfwjiCKF3Wauod0x5o+L7vfAkTobXbzRGoP13IKfvBXgyNIrOWq7VDqBIllHGA6T+uBd1ZccHu1YfbjW94xRYKE0ukVBucTjCAM4njDXieK+z3EfD9QdERdxe2900NmEgHpxxnBVQM8iXIAxiMXCwKiPgJQeUakW8xLKKsA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsenisverige.onmicrosoft.com; s=selector1-internetstiftelsenisverige-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q74WWYlhK2E+NNY9v0FiPSkCEecsrxcVD8xY2B5IyTk=; b=jSirydezcX5JbP8HIVfEgNxiFiRyX9oe90wT8231MgIiFyFAqgwo+7Ubg61fqrZDL1aiEqFrYSoFhJYN0zsFkiskVsbQ5pJp5n2XmH9JE4XqfAEB4VxcWiOFPs9HjyKIDgzFkIJXaxM9PKm+q0LKh7vzuVfeKE3J6pGBqUjFK10=
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:46::13) by MM0P280MB0229.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.17; Wed, 13 Jul 2022 20:58:14 +0000
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd]) by GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd%6]) with mapi id 15.20.5417.026; Wed, 13 Jul 2022 20:58:13 +0000
From: Stefan Halen <stefan.halen@internetstiftelsen.se>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] [EXTERNAL] Re: Requesting agenda time for draft-halen-fed-tls-auth
Thread-Index: AQHYlj9e6m+Voi+hs0CBckJWjnAEcq18ygmA
Date: Wed, 13 Jul 2022 20:58:13 +0000
Message-ID: <1129dd6b-00fe-88fe-4392-497d1b92b859@internetstiftelsen.se>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se> <758931.1657661536@dooku> <CH0PR11MB57393C7F487800C2BC6CC0C89F869@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57393C7F487800C2BC6CC0C89F869@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ebc07c9b-48f3-4b90-de96-08da65126708
x-ms-traffictypediagnostic: MM0P280MB0229:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: srqDbYVhT3BRGwWYnR0X7mcy3g6pzsXEgLGPSLjMQrBk2gqgz+fmDHFvjmQpZWFs3FPBkhM3t1WK+vLKJQ6oIFgTBnimq4WTA+3/1Ko0UGSjpfGnqMaROOAsmrc9pAGiqN1AcQ+KUV+OAvczU2sQRV5kGu/zq9anE2SICesELt+DarvwzklUQIN0Klt8qK53C77KHtsi8yiv1A1+HF3pkvZ4iLY6gWhHvtiqy+GQJnbII+iwt7vg/6cqDXSJR6RgppaAQ0764MxLn+WN/fxWf95gxTpdDGg0aNoS7qADQBeyVGiGJDXTr9eTjQIlWAWBuvyM6M0Liz+mEd86Nqug+BxZS5WFEt/RdRo3O0eQgGJctRGUip5DAC+Es9WorANOrbay6QxmBuC1KfkiQUNnwWTtlMNjEQ1wzDDKA2bJw2lkVz6d6F4hbVmBPHn3wWQLlr/q0uNIYNZB04OK2hNfD8yFG1A+0Fh5EnCP0oIp3i+EGDZ1RvoTx/uD/AkvSfL/y5KVUtHWzyc9URBl9QlIQlSLKWTS8ZrONrph46BefIboUmA3vor6oNqkPlkq7SZ5LJdp+SqJQcaIp/wrKk1320wbSZmfri62CboP3+XROFn19rSsXWJNn83oW1SocmrKFRCUgSm7XclTwApdP9G7Pt6O6VnqVjnaGumZyZUqbUfo6du+QCwvS80OCwJdvlyKZlyLyQo3/Y94VourLecrmxDbZu+ZPJAkg6AY3rU/ivdHgvOfx3p5/SN9TjcFjhX+N2P91yn+kvM0gjffy3xjXZS9yJJANNpTe+CaMaS4MKX8svWaijre+0P9V93SQTi/SwvGlkpnxQNHCnxzvM/WBn+qakO+now0r93rNfZAZsvSo3hrZdV6XdDH05dWdPcM
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(136003)(376002)(396003)(39840400004)(122000001)(71200400001)(478600001)(316002)(86362001)(6486002)(36756003)(31696002)(66476007)(2616005)(38100700002)(76116006)(4326008)(66574015)(31686004)(64756008)(8676002)(186003)(6506007)(66946007)(66446008)(41300700001)(66556008)(6512007)(5660300002)(8936002)(83380400001)(26005)(44832011)(2906002)(38070700005)(43740500002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0p2SJqWYAXV6+cl7kb28OrJWbiJOp+NOAaO1ks4XdfgB4z4LDc4QgSm/DcIwJIuO/4hrOpCI36ptXKSKmppNSnkwnhPsC4Ovw460W3aDTnhA8XzIxDbIM95mq08gSb/FNRVMj65bMKwkCbh5icJ3KFziC/sih0pIvXRxKKNk9ge14i30j/0XcB1nt5JV8rYayRmqSOGj8O9w8l1zytD0fRoOjZO9hYEC7w8Nq5xn/Uyc10d2TdwizVk1FkQ5Peg1u6CQ6ILLuM400g1+11ALG1NyTas4VPnwWAzYoCTeZImmbGXjq7oje5UVmOaQgj/mUu/RnccYKkE68qCnMNZQ/LOubcC9EUUz6MyzjwVWFSeqcTCYYWjjagtA0XYRpaoY06onUzqUZrotV1ohyNaJXXoBKYSHdD5LT2B7XIX5MLSbT/9G8eEOCLHx1X6Zy42fy0/BSbZOX8p7oB37diC52WipLUUOOvbCY1bJ+mR6j9y9l6D8MAaAQ9V2n0V3BgrteEq7KMeRUjFLMUiBSBUn4ieC+/Gv6OJeqwszL6aAgOFH1m1nouCen/LGZrWgcJYq1v9FXHrL+s3rRqFJN7NcPbQlUr5X4FV7dJ31ulME/9XQUmn0anDTo6m42JoKD0JU1+9Fx+mTjIaIMPWUr1XKboQSj+3L8MK3nVl2h1N5rXs/wfyLf3yBoNS8Rm2Vs/1aWCrBsMq2P+B9gjBUakkh94MIP8P0MOPcl9aWedZynej81ClzfQH7yzEOhEIQyYMLEIlB4Mnim6LHWpHTgINIOwwKxkLWkQfjU/ZaaObqOTRi2yPiTbjU0Ip5Ycswvnq2Ge3e8RE5rSy3JEjInGcMwRuaxtU7OR3iddDLINFBhiRUfANFV8QKcLcM6PX4qV/d4PJUqJYSyvWV8Jrc9/VgpUHwsGRwrKjnuBQxP8pY3UPQspmUOFS1FzEHFRrqy2rRgQB3+sMTt3FXeeHOestOhexnCyEHihfCaEF/hIFSuNefwyhhLUHLy6wLBW3KMrUV6KCSoDPzPFW1PMRElmKUKaMaBecljWXBtsS9VcTEUyQmcPfvzJjeGjE6tPZDvKUUVQGFgcfrukeQgUX10GXKdkdlrtYtZh+TWPGqXwyrlWb0A85mOqyF9CWAZPPI4pDpUQ9FTlvVynskEMJUkbMPklJIyC1ZkD0ckSKu2zqCI5VgRHXvW33R5ENSwTBPTMzCXm9MXJ/qVsUhrHFewrDwQsRykFtxsDnukbGPy2s0TaNUsgzaszhwWhNTroUc12+viu2m+0EhocdsCuWm1ralItDYc7ZUvXPL30U6r1Z5gnb6QIXxWmNCvATP3erTi3CrVFyt04vbmwzXQCcQ9in49gYV31a2E20n0YBtorav0o/l95MMhB8qxjHHEbXnkSTTMoG4UGTK9+bkNFjbucKSLKLWB7OULVMiZ5RN376OacmCUd+bLonOx0F0G4sTZli9mX8AaGQlDOsox4Sqz0ydQmIE3VitKS1TyT4QLlu69102Nsl8gRXfHRt0TFq8RR7fEl6UFS5U/nu4VfXizoGO9A28qT9XVlTIz4LfwTAepdTZ/RqykFwqvsO8vSjVrrGAzAd/VdSX2h6rfamtv0qutiolOnWx/1W345r2UA4U+g8=
Content-Type: text/plain; charset="utf-8"
Content-ID: <0E973890C0BBF54BAFD0709F1E315D9D@SWEP280.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ebc07c9b-48f3-4b90-de96-08da65126708
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2022 20:58:13.8641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kXnmjV3SpY388ZUkfMAgoeQmu/oGrf0Tr4ijsCLcIa6hA4GFVdk0VrE3qRgxvqChm4UffQ9ixevhZks8cthkGTZzmbiHBIol4iy5oVBHpji8yrfaUdhJrP7JeEfi+f+8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0229
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/ZlQLdh3uPpOgUegLAlFcYnW-qL4>
Subject: Re: [Secdispatch] [EXTERNAL] Re: Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 20:59:11 -0000
> The draft itself sounds like it's trying to solve the problem of meshing multiple PKIs into a single trust hierarchy, which you can already do within existing PKIX standards via cross-certs (with name constraints, pathlen constraints, etc) to the CA of each trust domain (either pairwise or via a central "bridge CA"). > > The email thread sounds like it's also trying to solve service discovery at the same time. It's doing this via a mashup of federated SAML and PKI. No doubt this is an interesting solution to real problems, but it's not clear to me that we benefit from making it into an Internet standard. Are you seeing multiple vendors with similar but not-quite-compatible implementations that are in need of standardization? > > > About this point: > >> Issuers are for reverse proxys that do not support optional_no_ca. Pin >> validation is performed by the application > > The HTTPbis WG has "draft-ietf-httpbis-client-cert-field" coming down the pipeline (formerly "draft-bdc-something-something-certificate") which should help shepherd reverse proxy vendors into better support for delegating client cert validation back to the application. To me, the option to make reverse proxies "dumber" in a standard way seems like a better solution than building a federated SAML layer on top in order to make reverse proxies "smarter". You pretty much sum it up "mashup of federated SAML and PKI". Having multiple vendors that needed a common and secure way of doing things was exactly why we did this. If a service provider is part of the federation then user identification is done by SAML and machine authentication by FedTLS. Regards Stefan
- [Secdispatch] Requesting agenda time for draft-ha… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Eric Rescorla
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Mike Ounsworth
- Re: [Secdispatch] Requesting agenda time for draf… Stefan Halen
- Re: [Secdispatch] [EXTERNAL] Re: Requesting agend… Stefan Halen
- Re: [Secdispatch] Requesting agenda time for draf… Michael Richardson
- Re: [Secdispatch] Requesting agenda time for draf… Roman Danyliw