[TLS] Re: [lamps] Re: TLS Client Certificates; a survey

Nico Williams <nico@cryptonector.com> Mon, 30 March 2026 20:39 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CF09AD3B3F60; Mon, 30 Mar 2026 13:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1774903170; bh=rnJND6xMRFl/3Z9wOQdgJKrHl5+h6MAeo6srlzhR66A=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=dYjlYPYO7ozos6RisE9JiSXStEhovfr8bSZ25A/E61ZiBupxdHrdwGtyDpCJZEcMS nhHbS+l6AwKs9Jyh/LUrJEmmA2SXgy+n3YiVOH6QNUjkF+4FgSXSlYj6XMA2a6C0N+ KQ+Pga2Awv3ScS+9VxZ6kZ5fNtmSq1KHdixKNa8o=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qz0GBVRUo6Mv; Mon, 30 Mar 2026 13:39:30 -0700 (PDT)
Received: from cheetah.ash.relay.mailchannels.net (cheetah.ash.relay.mailchannels.net [23.83.222.34]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 20D0CD3B3EB4; Mon, 30 Mar 2026 13:38:59 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id B157A7E1F64; Mon, 30 Mar 2026 20:38:53 +0000 (UTC)
Received: from pdx1-sub0-mail-a251.dreamhost.com (trex-green-5.trex.outbound.svc.cluster.local [100.122.210.181]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 43D357E2515; Mon, 30 Mar 2026 20:38:53 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1774903133; b=K2lWoph25/I6YwpH6pex4oYj3vtzrLz6ZJPdWIvdy/C2lqFeKd7MJOd/J2myXyvXABBwr/ JDhcTsSiWhqK2CwfUCwVrXq+86TT7ik2KSiNrj2rm3JTwmkSfPLKqCzpmAOejS0DNvWGiJ K7y4kMyTAsTvB/jSbOEgD83XekFKTKVyMrbtcpw1p0+YHxWeNe18YQ5Myjh0AZnFeMvNk7 5yM8av2AgEQOnPTX+6vWDfdZI08GnLCBCEID9HqORGof8fu1giyztjnUCUwNPhH3A6jeNn d+41xGkYHBLEQ3unkn2stxWseWPl4T6+dNh5UnRAQerkql5FApXXyFR7o85ygw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1774903133; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=GuY+Y2TJP18exuN7BqsYdhiV0HhZhii3Z74RfPi8Mvg=; b=vr8rNKCKdJWSCZvPR14V3laiaENlBAoL2UYV255I3wQq/63hHRtlKMJUuxAsU3RlL0mLcU x1L2Bni+VEBXyABpVXgJJd0gDdQ/gDWCmCLa9SBOO9+zxwNlvQ3sgdmg7foD8Nqvb41STf c0nZP3XYwYMpOSl0eBW3WzqbUAgcWTSvgMbV4rKs8N7f46UmCwGWQk8LNotbxCHxnbhWyN XgS/o0kIcRbr+RuUKIPmIqJQ2pD4+f8WQ9dMU9EGhcPP7dZWh8SA/4wnzWabKdnAZ8Wu9b JXoEkO4muT5GBULbp4/FQC8mf/8eY96ydzOcPqJncqz59oFrv4XrjQhG43vJ+w==
ARC-Authentication-Results: i=1; rspamd-7f98bb5847-52g88; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Chief: 0cb577515c67ab94_1774903133512_4269317919
X-MC-Loop-Signature: 1774903133512:2155723384
X-MC-Ingress-Time: 1774903133512
Received: from pdx1-sub0-mail-a251.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.122.210.181 (trex/7.1.5); Mon, 30 Mar 2026 20:38:53 +0000
Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a251.dreamhost.com (Postfix) with ESMTPSA id 4fl34X4XtyzyrC; Mon, 30 Mar 2026 13:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1774903133; bh=GuY+Y2TJP18exuN7BqsYdhiV0HhZhii3Z74RfPi8Mvg=; h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding; b=YrG0MbDWOBPHfyzQcNWeEY5OdUyUHmlanj3WWOrBf0ho7x1FT6bUJMKTJnuvB+dHE JRyyEUcMhWAdqb9OLR1L7+oAS/7QVLae8oqaSct48YrCZpaOsrBTPb7KZveftyXYga Ow6wFuwqQEc0VOEoiPIxC85r0Hohg4rslLjXzce320yZQxmZs9pAairVSgj2/ZS7gs zlCzhyT1C4auCvSpNydi6mhQg3N7x8T7zhzCjEgEq3ZAwj23FWSfhNrA3S3AGCmc7G t2MGnVniBf1RgaI/K9LT2Vj7VOajIgFmbEBojcCWZQ8NPB4pf+XOYaOU/7mH4OMh0+ ItRNVxGF41SXw==
Date: Mon, 30 Mar 2026 15:38:50 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Message-ID: <acrfWoDSHUrYj1if@ubby>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com>
Message-ID-Hash: YVYOCZWYXAGCDTDHYNPX3ZEMGSJ2DYBB
X-Message-ID-Hash: YVYOCZWYXAGCDTDHYNPX3ZEMGSJ2DYBB
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9o159R9vZQgayL37swt0S_CvLIc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Mar 30, 2026 at 08:04:54PM +0000, Salz, Rich wrote:
> The overwhelming response (strong consensus) — both posted and via
> private replies — is that applications will just switch to
> TLS-Server-Auth identities for the client side.

That violates RFCs 5280 & 8446 and vitiates the Chrome Root Program's
new policy.  Whatever problem that policy change meant to addres might
only be made worse by this approach (sure, only for those apps that
implement this workaround, but for those, yes, it will be worse).

There has to be a better way.

Does the IETF have a Liason to the Chrome Root Program?  Can we reach
out to them and ask them?  When I did they simply did not respond, but
if the IETF TLS and/or LAMPS WG chairs, or IETF Security ADs reach out
to them perhaps they'll respond -- failing that then maybe the IETF
Chair or the IAB.

Nico
--