Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id CF09AD3B3F60;
	Mon, 30 Mar 2026 13:39:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1774903170; bh=rnJND6xMRFl/3Z9wOQdgJKrHl5+h6MAeo6srlzhR66A=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=dYjlYPYO7ozos6RisE9JiSXStEhovfr8bSZ25A/E61ZiBupxdHrdwGtyDpCJZEcMS
	 nhHbS+l6AwKs9Jyh/LUrJEmmA2SXgy+n3YiVOH6QNUjkF+4FgSXSlYj6XMA2a6C0N+
	 KQ+Pga2Awv3ScS+9VxZ6kZ5fNtmSq1KHdixKNa8o=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level: 
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
	RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001,
	SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id qz0GBVRUo6Mv; Mon, 30 Mar 2026 13:39:30 -0700 (PDT)
Received: from cheetah.ash.relay.mailchannels.net
 (cheetah.ash.relay.mailchannels.net [23.83.222.34])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id 20D0CD3B3EB4;
	Mon, 30 Mar 2026 13:38:59 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1])
	by relay.mailchannels.net (Postfix) with ESMTP id B157A7E1F64;
	Mon, 30 Mar 2026 20:38:53 +0000 (UTC)
Received: from pdx1-sub0-mail-a251.dreamhost.com
 (trex-green-5.trex.outbound.svc.cluster.local [100.122.210.181])
	(Authenticated sender: dreamhost)
	by relay.mailchannels.net (Postfix) with ESMTPA id 43D357E2515;
	Mon, 30 Mar 2026 20:38:53 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none;
	t=1774903133;
	b=K2lWoph25/I6YwpH6pex4oYj3vtzrLz6ZJPdWIvdy/C2lqFeKd7MJOd/J2myXyvXABBwr/
	JDhcTsSiWhqK2CwfUCwVrXq+86TT7ik2KSiNrj2rm3JTwmkSfPLKqCzpmAOejS0DNvWGiJ
	K7y4kMyTAsTvB/jSbOEgD83XekFKTKVyMrbtcpw1p0+YHxWeNe18YQ5Myjh0AZnFeMvNk7
	5yM8av2AgEQOnPTX+6vWDfdZI08GnLCBCEID9HqORGof8fu1giyztjnUCUwNPhH3A6jeNn
	d+41xGkYHBLEQ3unkn2stxWseWPl4T6+dNh5UnRAQerkql5FApXXyFR7o85ygw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=mailchannels.net;
	s=arc-2022; t=1774903133;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=GuY+Y2TJP18exuN7BqsYdhiV0HhZhii3Z74RfPi8Mvg=;
	b=vr8rNKCKdJWSCZvPR14V3laiaENlBAoL2UYV255I3wQq/63hHRtlKMJUuxAsU3RlL0mLcU
	x1L2Bni+VEBXyABpVXgJJd0gDdQ/gDWCmCLa9SBOO9+zxwNlvQ3sgdmg7foD8Nqvb41STf
	c0nZP3XYwYMpOSl0eBW3WzqbUAgcWTSvgMbV4rKs8N7f46UmCwGWQk8LNotbxCHxnbhWyN
	XgS/o0kIcRbr+RuUKIPmIqJQ2pD4+f8WQ9dMU9EGhcPP7dZWh8SA/4wnzWabKdnAZ8Wu9b
	JXoEkO4muT5GBULbp4/FQC8mf/8eY96ydzOcPqJncqz59oFrv4XrjQhG43vJ+w==
ARC-Authentication-Results: i=1;
	rspamd-7f98bb5847-52g88;
	auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Chief: 0cb577515c67ab94_1774903133512_4269317919
X-MC-Loop-Signature: 1774903133512:2155723384
X-MC-Ingress-Time: 1774903133512
Received: from pdx1-sub0-mail-a251.dreamhost.com (pop.dreamhost.com
 [64.90.62.162])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384)
	by 100.122.210.181 (trex/7.1.5);
	Mon, 30 Mar 2026 20:38:53 +0000
Received: from ubby (unknown [75.81.95.64])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
 server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: nico@cryptonector.com)
	by pdx1-sub0-mail-a251.dreamhost.com (Postfix) with ESMTPSA id
 4fl34X4XtyzyrC;
	Mon, 30 Mar 2026 13:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com;
	s=dreamhost; t=1774903133;
	bh=GuY+Y2TJP18exuN7BqsYdhiV0HhZhii3Z74RfPi8Mvg=;
	h=Date:From:To:Cc:Subject:Content-Type:Content-Transfer-Encoding;
	b=YrG0MbDWOBPHfyzQcNWeEY5OdUyUHmlanj3WWOrBf0ho7x1FT6bUJMKTJnuvB+dHE
	 JRyyEUcMhWAdqb9OLR1L7+oAS/7QVLae8oqaSct48YrCZpaOsrBTPb7KZveftyXYga
	 Ow6wFuwqQEc0VOEoiPIxC85r0Hohg4rslLjXzce320yZQxmZs9pAairVSgj2/ZS7gs
	 zlCzhyT1C4auCvSpNydi6mhQg3N7x8T7zhzCjEgEq3ZAwj23FWSfhNrA3S3AGCmc7G
	 t2MGnVniBf1RgaI/K9LT2Vj7VOajIgFmbEBojcCWZQ8NPB4pf+XOYaOU/7mH4OMh0+
	 ItRNVxGF41SXw==
Date: Mon, 30 Mar 2026 15:38:50 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Message-ID: <acrfWoDSHUrYj1if@ubby>
References: 
 <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com>
 <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: 
 <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com>
Message-ID-Hash: YVYOCZWYXAGCDTDHYNPX3ZEMGSJ2DYBB
X-Message-ID-Hash: YVYOCZWYXAGCDTDHYNPX3ZEMGSJ2DYBB
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-tls.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BTLS=5D_Re=3A_=5Blamps=5D_Re=3A_TLS_Client_Certificates=3B_a_sur?=
	=?utf-8?q?vey?=
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/tls/9o159R9vZQgayL37swt0S_CvLIc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Mar 30, 2026 at 08:04:54PM +0000, Salz, Rich wrote:
> The overwhelming response (strong consensus) — both posted and via
> private replies — is that applications will just switch to
> TLS-Server-Auth identities for the client side.

That violates RFCs 5280 & 8446 and vitiates the Chrome Root Program's
new policy.  Whatever problem that policy change meant to addres might
only be made worse by this approach (sure, only for those apps that
implement this workaround, but for those, yes, it will be worse).

There has to be a better way.

Does the IETF have a Liason to the Chrome Root Program?  Can we reach
out to them and ask them?  When I did they simply did not respond, but
if the IETF TLS and/or LAMPS WG chairs, or IETF Security ADs reach out
to them perhaps they'll respond -- failing that then maybe the IETF
Chair or the IAB.

Nico
-- 

