IETF Logo Mail Archive

[TLS] Re: Adoption Call for Trust Anchor IDs

Mike Shaver <mike.shaver@gmail.com> Fri, 24 January 2025 20:45 UTC

Return-Path: <mike.shaver@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF903C18DB87 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2025 12:45:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sz0q8OBS5rWt for <tls@ietfa.amsl.com>; Fri, 24 Jan 2025 12:45:08 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1FAAC1E0D96 for <tls@ietf.org>; Fri, 24 Jan 2025 12:45:08 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id 5614622812f47-3eb7ca55c3bso1459326b6e.3 for <tls@ietf.org>; Fri, 24 Jan 2025 12:45:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737751508; x=1738356308; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i2+r7Z8JK/aptJtrHQk8Ae0bp2AJFpYaWKn53OhkDqA=; b=Ni4VSVMWn7C+oTmT0jfGK9sHHPGABQSEtohBpNdmFpkI0xv/MjSvEQYtPsYNrAVI66 QtuhOxqnL8OR271HKrurUO1HrJR6J6hXu0ktalwguDF/WlOFoYQIE1ygXal4yrbmVuGM qnnZ+AeX2wxr8FjnJ4cGIAUnPaIQnziAWy2LuVRgL/UJVMy7PdqdQOQMdNP9QJmfCSLt 7n1HftFfzFUbBPQ2zueARw82F8K5E8q8GNwNukSDisFiBIEGzj9Xi63mA7ga/wLS+JbD kIvymEn2WtZjNgidy7WavZZXmwRa7fP7Uw9TIBGixYjMNwflc0mMT8/j+ftxQBbT+lAK 8nJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737751508; x=1738356308; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i2+r7Z8JK/aptJtrHQk8Ae0bp2AJFpYaWKn53OhkDqA=; b=I+yKOPzKLzqZBpVHI5yWLAZblW4mzG2sMRP7pQcKRnZ4dmjmdEbs8iNG0u1BXY/W2J fGpK54u0LWD8+jQmZeSyKuYBm2ixv1BnabjmkuaxbuSJ4MVyqF25GdVPfEseHDDFYlGn vQFaxtRzEj258z5KnoXU2SpljYCLmT7r51KXj3AiEpBJM+74xpHBSeJlbVuYU7xB4btB 0bFB0GhEOOlVXR/LbVyNcgsEeHxUMiPp7CLzSxPyVHrksBJX5G6H2PN32vHnPIIcyKl9 zk8n49v7+yKEJNs62vKBUe7TWcb+OCTCG270v/Dvi4QngJUQnZJWrLSfcltvI3j34pR5 U55Q==
X-Gm-Message-State: AOJu0Yynh8lzdm1WZHFo5sIHY8tsWDHOoI47UiRTGLaS1uqCa4WpyRoZ uX6c2RAg2fzXYoO6jPDRFGZLmGP1Poxh6LDC9HlBMjbAy0SXcBM3iGeO0wYRXxZAlVXZKTFGxub I2Ys75pIi/mjbrqCYtOvHe/YI6wkNXFp0qVs=
X-Gm-Gg: ASbGncuA+3AwDQ+aqjgV+79hgNZIJz/yanh571pum5gh5i1ZCBCd8f0nUjiK+ICR0zV 3F1WvH3Fky8Uvi58rwR7dVxVFfb0e3d64+oXgMVd/jT6Wo8oJ4I8QRpEGpDJlNYMk12cUH+GA
X-Google-Smtp-Source: AGHT+IG7yiXHKMzrLym8w3smBz6RqDRt1hNTe/20FgckfMGSDcUp9cNJDmNNF/cJQ939s7sfow3VUFD+pVyTfVRI8IA=
X-Received: by 2002:a05:6808:3c4e:b0:3e6:5a7f:e102 with SMTP id 5614622812f47-3f19fc7d104mr23659422b6e.9.1737751508015; Fri, 24 Jan 2025 12:45:08 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
In-Reply-To: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
From: Mike Shaver <mike.shaver@gmail.com>
Date: Fri, 24 Jan 2025 15:44:57 -0500
X-Gm-Features: AWEUYZluD1gWJpI8cabcGeSplTW8rbT24OccTZ3OBlUd3S9gsZE2J0Y2xfu69Ls
Message-ID: <CADQzZqvGOLhW-7AVziaR89X2QDujtvWBHQ9BFSM9Q-poo9JGfQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="00000000000057e041062c79cd95"
Message-ID-Hash: H3TUHHKOJS4GZDIAZPEY7KDHNNMGI3TQ
X-Message-ID-Hash: H3TUHHKOJS4GZDIAZPEY7KDHNNMGI3TQ
X-MailFrom: mike.shaver@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption Call for Trust Anchor IDs
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ALAx6musgbK4WGqD9Jv6QWgwd1c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I support adoption. Cross-signing has proven a clumsy tool for managing the
introduction of new roots, and we need something better.

Mike


On Wed, Jan 15, 2025 at 11:01 AM Joseph Salowey <joe@salowey.net> wrote:

> At the trust tussle Interim in October we had consensus that the working
> group was interested in working on the following problem:
>
> “Avoid client trust conflicts by enabling servers to reliably and
> efficiently support clients with diverse trust anchor lists, particularly
> in larger PKIs where the existing certificate_authorities extension is not
> viable”
>
> After IETF 121, we asked for submissions for possible working group
> adoption as a starting point for this work. We received two submissions:
>
> [1] Trust Anchor Identifiers, draft-beck-tls-trust-anchor-ids-03
> <https://datatracker.ietf.org/doc/draft-beck-tls-trust-anchor-ids/>
>
> [2] Trust is non-negotiable, draft-jackson-tls-trust-is-nonnegotiable-00
> <https://datatracker.ietf.org/doc/draft-jackson-tls-trust-is-nonnegotiable/>
>
> [1] defines a new protocol mechanism, while [2] provides an explanation of
> why the mechanism in [1] may not be needed and may be problematic. Since
> the second draft does not define a protocol mechanism we are not
> considering it for adoption, but we request that working group members
> review both documents and use [2] as input into determining whether we
> should adopt [1] as a working group item.  Adoption as a working group item
> means the working group has change control over and can modify it as
> necessary; an adopted document is only a starting point.  Please respond to
> this thread if you think the document should be adopted as a working group
> item. If you think the document is not appropriate for adoption please
> indicate why.  This adoption call will close on February 7, 2025.  Also
> please remember to maintain professional behavior and keep the discussion
> focused on technical issues.
>
>
> Thanks,
>
>
> Sean, Deirdre and Joe
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>

v2.37.1 | Report a Bug | By Email | System Status