[TLS] Re: [lamps] TLS Client Certificates; a survey
Alan DeKok <alan.dekok@inkbridge.io> Mon, 23 March 2026 20:26 UTC
Return-Path: <alan.dekok@inkbridge.io>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5AE42D02FEDC; Mon, 23 Mar 2026 13:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=inkbridge.io header.b="OQnRsRcK"; dkim=pass (2048-bit key) header.d=inkbridge.io header.b="k4ppYJdP"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4nS0peBUkJG; Mon, 23 Mar 2026 13:26:01 -0700 (PDT)
Received: from mail2.networkradius.com (mail2.networkradius.com [184.95.211.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D01DBD02FED0; Mon, 23 Mar 2026 13:26:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=JhRPJb4zrt71YzNPtkM8iEG9b2qTBaXKf/uep/xv2QI=; b=OQnRsRcKiqplXvEr/O+Zc2a9SK serK75AznG7M1OZez/ASr4/Rbu4iFW4gD8aZpQltv/VG3ASUhTV07gmL8/vkgpNnTduqD1uIxT69O e5x/AcVMw3wi1YSggqtVGROODramPrIeZ219O/SzBjmQa5BR/HqkjGqq3uDKuzgcl9euboJSPS/Vv MWr9k0kFt6FSfVN5DvJkUv3SFdNhEr6SVxvJcXhMCItkuz6Cv6hDRMshlfJq5QBojVSMG4f8w8nz3 cWOqwUoPQ1+n1ZbtJglc2fpy6a5DVfJUqSVy9CPH57dvz9lflGQA8YgoskwWYQQbn76iGSy7HYURZ c3MrDDJw==;
Received: from mail.servers.fr.internal.networkradius.com ([192.168.42.56]:35702 helo=mail.networkradius.com) by mail2.networkradius.com with esmtp (Exim 4.97) (envelope-from <alan.dekok@inkbridge.io>) id 1w4lqZ-00000001EIA-4AH5; Mon, 23 Mar 2026 20:26:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; t=1774297559; bh=JhRPJb4zrt71YzNPtkM8iEG9b2qTBaXKf/uep/xv2QI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=k4ppYJdPm2KDhshW1qHHMxNzHNl5WNtXuwsjAOUvGYMsQLY8Ptlsasl2KzAa6+qtt LYZexhAFoxrFGCyMqkgLycO55HofwiSbY4g2Ae07RR/eFbozdHwrAe63qAlJnE4v88 O0CVPzfb3X96fxCUbOuxx4/5/adB+rjuPQrsXaSjyBbbP+Xskf1s33etSxcVD+MhXR WdCHH31yuGUtU8YGe5VsZsNdAQ2gW3oaLC2lNlHCFgA/lsni2GFlxLKTtTIb6u3SYS ROAPBPqgaJztywUWDbUKs9ZmC4qaxGgFSETbstYqZKfqxYYxSfXDROK2s51uUGjVcC dkFziKXNvvOmg==
Received: from smtpclient.apple (unknown [27.252.232.19]) by mail.networkradius.com (Postfix) with ESMTPSA id 76466601; Mon, 23 Mar 2026 20:25:57 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_16C65516-B5FE-4CEA-8AF3-EBCE07957860"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
From: Alan DeKok <alan.dekok@inkbridge.io>
In-Reply-To: <CAH8yC8kCHDqaU5q6Ct8ZPCO+5cYJC+a+zEf8JD2Q7XZuYng7pQ@mail.gmail.com>
Date: Tue, 24 Mar 2026 09:25:42 +1300
Message-Id: <19C42BA1-8863-4E94-AB84-2AA7B8E96C59@inkbridge.io>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <4732.1774288835@obiwan.sandelman.ca> <acGB3/g8HMNNOP4J@ubby> <DU0PR03MB86960694D96A2E52CCED6440864BA@DU0PR03MB8696.eurprd03.prod.outlook.com> <6952177E-8DC0-486E-980E-67CD5A0E1569@inkbridge.io> <CAH8yC8kCHDqaU5q6Ct8ZPCO+5cYJC+a+zEf8JD2Q7XZuYng7pQ@mail.gmail.com>
To: noloader@gmail.com
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: 2QH7LSJIKS2PPYL4UI2QTUQ3BZOVPCIM
X-Message-ID-Hash: 2QH7LSJIKS2PPYL4UI2QTUQ3BZOVPCIM
X-MailFrom: alan.dekok@inkbridge.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D8TDAHK5kuW-W_lceNg_lDJDwcE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Mar 24, 2026, at 8:18 AM, Jeffrey Walton <noloader@gmail.com> wrote: > Regarding Item (2), wouldn't Trust on First Use (TOFU) work well? Sure, for some definition of "work". The traffic would be more secure than using raw TCP. But there are questions remaining. Is the server you're connecting to actually owned by example.com <http://example.com/>? Is it authorized? etc. We just don't know. > Remember, TLS is only intended to be about as secure as brick-and-mortar stores. It is not intended to be as secure as Fort Knox. The biggest threat in mail systems seems to be the mail operator reading your messages. That's the insider threat in brick-and-mortar stores, where employees are committing an equal amount of the theft as external customers. > > And who needs a CA anyways? All we need is a hostname and a public key. We don't need a CA to bind them. The hostname and public key information is presented in an end-entity certificate, so that's all we need. The self-signed certificate can be hosted in DNS and retrieved as required since that seems to be the modern equivalent to the X.500 directory. The world does not need to be adverse to self-signed certificates just because the CA/BF does not care for them. I find it a bit surprising that certificates can carry a substantial amount of information about purposes, authorization, hierarchies, etc. But that pretty much the only way to make them usable is to just ignore all of that. Alan DeKok.
- [TLS] TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey John Mattsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Michael Richardson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eliot Lear
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] [lamps] Re: TLS Client Certificates; a surv… Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Phillip Hallam-Baker
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: [lamps] TLS Client Certificates; a surv… John Kemp
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Peter Gutmann
- [TLS] Re: [EXT] [lamps] Re: TLS Client Certificat… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Wei Chuang
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Levine
- [TLS] Re: TLS Client Certificates; a survey ml+ietf-tls
- [TLS] Re: TLS Client Certificates; a survey Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … David Adrian
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Stephen Farrell
- [TLS] Re: [EXT] [lamps] Re: Re: Re: TLS Client Ce… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Peter Gutmann
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Jeffrey Walton
- [TLS] Re: [EXTERNAL] Re: [lamps] Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Russ Housley
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Mattsson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… David Adrian
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Eric Rescorla
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … David Adrian
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Andrei Popov
- [TLS] Re: [lamps] Re: Re: TLS Client Certificates… Alan DeKok
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Jeffrey Walton
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Mike Shaver
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Ilari Liusvaara
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Ilari Liusvaara
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … 刘鹏辉
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams