Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth

Stefan Halen <stefan.halen@internetstiftelsen.se> Wed, 13 July 2022 20:52 UTC

Return-Path: <stefan.halen@internetstiftelsen.se>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 137CAC16ECB5 for <secdispatch@ietfa.amsl.com>; Wed, 13 Jul 2022 13:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se header.b=KL368YU3; dkim=pass (1024-bit key) header.d=internetstiftelsenisverige.onmicrosoft.com header.b=d38S9kRG
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hv2nosP54wrc for <secdispatch@ietfa.amsl.com>; Wed, 13 Jul 2022 13:52:20 -0700 (PDT)
Received: from relay1.iis.se (relay1.iis.se [IPv6:2001:67c:124c:7317::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13EDCC15A735 for <secdispatch@ietf.org>; Wed, 13 Jul 2022 13:52:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-transfer-encoding:content-id:content-type:in-reply-to: references:message-id:date:subject:cc:to:from:from; bh=kV1fMV1kzv1iSiDjpKVZ7ojyWI6UgYkPl7Rw3xdm9eg=; b=KL368YU3SPDiFlhorl8gODehd6DKO1o87ml4l+UYAxId+CWlDYogvcXW09PmtsJyEUuvD8mlPDnyE ohGBLOlH4MK4cgKyHwIBiFZShBA+80YUnBeD1Kjwaur6WWIzBxQes3C+CSm9zESlqhi4K66EcMNms4 6AkJvWxV0pnvVT70=
Received: from emea01-obe.outbound.protection.outlook.com (mail-swedensouthazlp17011001.outbound.protection.outlook.com [40.93.213.1]) by relay1.iis.se (Halon) with ESMTPS id aba8ad22-02ed-11ed-a9bd-005056827d92; Wed, 13 Jul 2022 20:52:13 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jZxaOBsWNmhoTjixxb4CD1TuBO80JtWXUMQXyVR5t4yv4LTLIrH4Eo+tnqm9nSWfyeW0Rm1lP/aeX/UNjVUJcyAnfUY+28GiEzludQIBBzOo7zJx4SrJtHGgdeGoyoRc1sw0ZbsQdcCRJ58buCpdXYXwfLvPWKBogikwbY7uivKI/kPUXDJU00n9j/8ndYCRvXEAj94driwC+JZU+GsXLb0IzGTVs7vXyFGMGtyAioIStD+NzraEH78eu/Wq5V/E7uWNNi3RIEaIb7Gy0t3aTxcY/C7plj/m8BAFmQ/lpJBIcSyHQ22fUdijGwsS6Oxm4WkrRGfZ9nYzwTOcqJdlUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kV1fMV1kzv1iSiDjpKVZ7ojyWI6UgYkPl7Rw3xdm9eg=; b=JHxrETPcGamLRiwxxC6dDWaG9biXS2C9QcgUYnqAG50DQcXdkb/yAIdBPTwxZjqFQWT/Dftj516J+x7Z269fwbVndfrligPTGr2BreisWWJm5B27QIHUCxlqdM9qnGHqsIEYNKnC1Epnx18sdqDlCfjHnnXT7fdMw68G1yk8O+Ct60NC8beM4EQDAVNaI1SBEGFJDdO8xkm07x2eGbBaOoTX2RWQTsTI2zQIpV3MGgtWtaw1+cy3gGCzE3iZi1A1KzuxRJDzAGa6UBrwgJad0CShd0yD5Km2SwRcjYG+B9XopHITvPAoZ0pcRtQ12VjlaEq63PrzlieAIczHAY9rWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsenisverige.onmicrosoft.com; s=selector1-internetstiftelsenisverige-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kV1fMV1kzv1iSiDjpKVZ7ojyWI6UgYkPl7Rw3xdm9eg=; b=d38S9kRGYbnp0IekvUIo47GgkV0TT4mb4yvMLW2LDhtC6CoIL3cGccw/ro5xss7E6Rxjhlcv0HFuHRjHjDxj8NfVr00RUVFz9D0ki1WDXx+jtB3yvISfGtDOeDTnba0bcYtjsYZRqKhOu5F4SkQnxyZIDLHf5YIN7/4hjT9YOH4=
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:46::13) by MM0P280MB0229.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5417.17; Wed, 13 Jul 2022 20:51:50 +0000
Received: from GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd]) by GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM ([fe80::f000:a535:a77b:62bd%6]) with mapi id 15.20.5417.026; Wed, 13 Jul 2022 20:51:50 +0000
From: Stefan Halen <stefan.halen@internetstiftelsen.se>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
Thread-Index: AQHYkTxJZh+3w1CapU6UncoT060w261zf7wAgAEU+4CABraHAIABhweA
Date: Wed, 13 Jul 2022 20:51:50 +0000
Message-ID: <9c0f5534-1380-292f-8984-deb463a40446@internetstiftelsen.se>
References: <e5685a29-f8b6-f44a-ad8a-cda5da1c1e75@internetstiftelsen.se> <CABcZeBPn+FuHWFffWBTtQW9wzhuSO8piBRrTfDQ3ikJZRS_FFw@mail.gmail.com> <fded171a-9f7e-3633-c5e2-c959e8ff405d@internetstiftelsen.se> <758931.1657661536@dooku>
In-Reply-To: <758931.1657661536@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ca949213-a635-4df1-5e78-08da651182b2
x-ms-traffictypediagnostic: MM0P280MB0229:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2yxJV3vsIAcgI7J2d0Wjb8JjdCbnhNE9pdmpR+KtDEP/MxXx/oQ2g5DFESE5worJQPFQ2VywulBq0Jq0prD4UgPQDV2VonPfhXc0otL9nxTiA0bmpe5r8YWxJSt4EPUtLo1hQ4yZX8c9BDI7rd1elwtSaygqsIfHpOQq3PIQxyn38qQyoz236LR+3UqgD9S+/r0bakvWX14imJ4UhBwdfAFfwjEG5wXzn9h8BKFUUThLbZS6biJWORhnO34Ileyw9ueEGPbT/+SxRmZULexAoAnApjRBo2Pw+TsOTbz/TdHoVxmbq+pMRiXGo/YYSv16Fjyd1aoR4dzfTyRLTKmiYmu1SposwVDjT6NqicxVqYXGwSCcuqMJ1OYKU2GtBztwIBlAxl+4d7kuKPJlR0Whz9TJ7GITUwdWLLf0ZQdA5wkzCck9ztu/1Bv//gRMzp86oFgwJr20NLjBOW+DSU660CfgPYuziDKdE4Dugb2z9CixKavs8bm4whFe9L/tneXehqxHJnRBkhFqEx1//ZfO9IT8dU3eRPkBxq2ZayXUrKrkvcOw5FTho4t8gS3KkIf27N5Z5YGjoyut2CexxX/bO6Gu8mx+Xcmsl8i9TKbITAL74X2RqrTBFQFps3YMOLWE6v1xWefeIYcHVjn8ABilTamePliqPkX0mNk7qI7TK74hdt9fDhpamd/uFFi8/ARXPEtxC2oQwnAQq6LJ2YTQks1bbZicb9/gPm3pnz5PY0aa4qz1LqVc5ntWUGP4rERJQL0orpCp6wkXH8mmsZAkH80NLgoeBcwnelQWgORn72RSA2Kkz2nWVVMzzt1ckY6FgFKt66QGlIYivA/9oV0RPsyYmnXrcGE/gco+aL6mlrcNsBcvBSmJ6FPqKONj2Fpp
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(136003)(376002)(396003)(39840400004)(122000001)(71200400001)(478600001)(316002)(86362001)(6486002)(36756003)(31696002)(66476007)(2616005)(38100700002)(76116006)(4326008)(31686004)(64756008)(8676002)(186003)(6506007)(66946007)(66446008)(41300700001)(66556008)(6512007)(5660300002)(8936002)(4744005)(26005)(44832011)(2906002)(38070700005)(43740500002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wWjl0ZhhksoQ71eut7hClaC18uqZZacx/nzuEeOWTPCLJ4JtV8Q0EYbDlsTz5QTriPb3Oy/buy2wuKRYQMNaR05CyudGYU2SPJwBh2Xm+liSr6MccE1LRN1Hq6RJ5sLi9HqM0gb3ACL4FPvMINeY9hW2nk6sxAU4H5tpvCRn4zcbQfza75/BceAUkzUJeINED9gqjquP4lXdHbEn/60Y3dD5hCTr5E17khE9R8jYflMUkit+6ePtTIQBzwz+5/enYEo7YASJK2PJ9ee8PPvC8BL7osLO01DYM8OyZPQ0ZcGykjWggqPL2vwkyioIgEVDTb12+Wyg64IJeYM3UazNjLtpXo8rn6sqroct4jX+ncd3j0zjHXXsdjzg63pPXVDu3k3tqhQIB5cy/oMv9wmvIRBXBMKjHyBir8UhqPuW6t+fD45VwSHkldNFlABYh+avwZ5uQq2X16x1vyFpu6vwO5HDBWxOubNMNproZxkyiRO+Eq2sKSafjIYGj840EnNMwCrmwtAgle2UyHGVYyJGHHFq1nl8Z71SnvuDB0gkZOiBYlNFW1KCfFqCF/b0xFv1SbrbbOiT4hA9QT3rn0SVXETR2YbHmXzyeHelG8cXRAvQochhCTTO2e64UyGslPvyfJLb3NOM1OsYw3dNPsx2dPuYUdPIMpMQrId2YGA21Bc6QJOChjOOQauy7KXnCCuaaj9CTXFXKdeCbYma9mYrcUVhbTooiEmwbmPjYAXTc+Eaxne6ufBEIo8vvzHluYuFNBd1VOZ3lCw7Pfd3vBwaIv01ph7/DLICvy8uMfGykicQyrrH4bNQTlKaZfJmNirSDT7/W3greiJs9n0Lits02eMsH/Bumn5mhkvEkrRQarOdyjSM99Mpc7EU0KLui/rUZeIfSjETw7wGSbfiKgdAQzsVIpJQKISRPOpS+wbCLfxk9keHqWIGrhmj1igk8HyWosqwlotkX6MLr5DvO33YzP912+d/jNXYyLpHqJHPCrjUDTP95MA9yeJklgpjaxeOmW/v3zJct33g3cm3RAwbSgRYV6OrbnH2JlT1Use1cbcDu1YUbVzxHNTe8iZWLs4c5c3wIWBup0f6Hg0oa+gYPI2KTPBC9suCMQNHEWXlBsg/4cKRMKK13Tz6k7esgB2mW2JX/KETJmakbzCLxacNIbWfBJhZfQ5UTjFsuW3Sk1wveIWVjKkLgP1aR+tqBS3Mfx3juOaIzPcTiseA0YGDGLd94/JIIHBbFZRGSUSqDOIDiNtvj59trXl3iAawPUUboEB+sBDyFKltIfHVKINY5+vpr98WJPfYcG36/52Vh8/qYpV5iN3bJF2YsZLGcJf3l0C3gIlygZAehannSPzYPW+z/czcsJxlxHlq2guDtH3zRbXscxSN5Bf7H5Z4elpqGshg0dndRYKsMZFCpBlntruM4k+DhKeXltUEr0qJMVNsvKAq9JONo2vZqKjgz+bTDYkLrIZSLUXv318kUdM3CwOHWLGykHSvw31edMUuUbDVvjpZm6kIZGh+Bu4rlZ3+eQU2evb1F+aVju6oRx/DAia2bqopGcDbPb2zfVZkZaslUgVJ2SLYdWjUJzbqYbYBXK6+UFLF5t421R/xUamUmQrW+QMLxfdiccHKU3xZ5QQ=
Content-Type: text/plain; charset="utf-8"
Content-ID: <6B7F0C61D7D4164BAB15A4BDF715241D@SWEP280.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVZP280MB0427.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ca949213-a635-4df1-5e78-08da651182b2
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2022 20:51:50.7766 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NIxIFRL2mRxM2Zbdtz37lySc+YsQEmvZH5rvG5xzqeLtvuOt7VthNs2vU7vq9EXVnL5hle8TP3245lYaqDk9bg98wTuk54cOMxHXbf95YwTXhJvExOJHmj/C4CajH+xy
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0229
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/_At9Ru8JclBYxtHJ-CW91gPrpJo>
Subject: Re: [Secdispatch] Requesting agenda time for draft-halen-fed-tls-auth
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 20:52:26 -0000

 >They can not opportunistically use a certificate provided in the TLS 
setup to
 >complete the TLS connection, and then allow an application framework 
behind
 >them to indicate if the client certificate should have been accepted 
or not.

 >I don't yet understand how your protocol solves this, but I think that
 >RFC8995 could suffer from this constraint in the Registrar->MASA 
connection.

Yes, issuers are there only to make it possible for implementations that
can't do optional_no_ca to accept the certificate and offload the
validation of the pin to the application. This is to make it possible to
use self-signed certificates.