[TLS] Re: [lamps] TLS Client Certificates; a survey

Alan DeKok <alan.dekok@inkbridge.io> Mon, 23 March 2026 20:26 UTC

Return-Path: <alan.dekok@inkbridge.io>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5AE42D02FEDC; Mon, 23 Mar 2026 13:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=inkbridge.io header.b="OQnRsRcK"; dkim=pass (2048-bit key) header.d=inkbridge.io header.b="k4ppYJdP"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4nS0peBUkJG; Mon, 23 Mar 2026 13:26:01 -0700 (PDT)
Received: from mail2.networkradius.com (mail2.networkradius.com [184.95.211.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D01DBD02FED0; Mon, 23 Mar 2026 13:26:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=JhRPJb4zrt71YzNPtkM8iEG9b2qTBaXKf/uep/xv2QI=; b=OQnRsRcKiqplXvEr/O+Zc2a9SK serK75AznG7M1OZez/ASr4/Rbu4iFW4gD8aZpQltv/VG3ASUhTV07gmL8/vkgpNnTduqD1uIxT69O e5x/AcVMw3wi1YSggqtVGROODramPrIeZ219O/SzBjmQa5BR/HqkjGqq3uDKuzgcl9euboJSPS/Vv MWr9k0kFt6FSfVN5DvJkUv3SFdNhEr6SVxvJcXhMCItkuz6Cv6hDRMshlfJq5QBojVSMG4f8w8nz3 cWOqwUoPQ1+n1ZbtJglc2fpy6a5DVfJUqSVy9CPH57dvz9lflGQA8YgoskwWYQQbn76iGSy7HYURZ c3MrDDJw==;
Received: from mail.servers.fr.internal.networkradius.com ([192.168.42.56]:35702 helo=mail.networkradius.com) by mail2.networkradius.com with esmtp (Exim 4.97) (envelope-from <alan.dekok@inkbridge.io>) id 1w4lqZ-00000001EIA-4AH5; Mon, 23 Mar 2026 20:26:00 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inkbridge.io; s=sep2024; t=1774297559; bh=JhRPJb4zrt71YzNPtkM8iEG9b2qTBaXKf/uep/xv2QI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=k4ppYJdPm2KDhshW1qHHMxNzHNl5WNtXuwsjAOUvGYMsQLY8Ptlsasl2KzAa6+qtt LYZexhAFoxrFGCyMqkgLycO55HofwiSbY4g2Ae07RR/eFbozdHwrAe63qAlJnE4v88 O0CVPzfb3X96fxCUbOuxx4/5/adB+rjuPQrsXaSjyBbbP+Xskf1s33etSxcVD+MhXR WdCHH31yuGUtU8YGe5VsZsNdAQ2gW3oaLC2lNlHCFgA/lsni2GFlxLKTtTIb6u3SYS ROAPBPqgaJztywUWDbUKs9ZmC4qaxGgFSETbstYqZKfqxYYxSfXDROK2s51uUGjVcC dkFziKXNvvOmg==
Received: from smtpclient.apple (unknown [27.252.232.19]) by mail.networkradius.com (Postfix) with ESMTPSA id 76466601; Mon, 23 Mar 2026 20:25:57 +0000 (UTC)
Content-Type: multipart/signed; boundary="Apple-Mail=_16C65516-B5FE-4CEA-8AF3-EBCE07957860"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.4\))
From: Alan DeKok <alan.dekok@inkbridge.io>
In-Reply-To: <CAH8yC8kCHDqaU5q6Ct8ZPCO+5cYJC+a+zEf8JD2Q7XZuYng7pQ@mail.gmail.com>
Date: Tue, 24 Mar 2026 09:25:42 +1300
Message-Id: <19C42BA1-8863-4E94-AB84-2AA7B8E96C59@inkbridge.io>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <4732.1774288835@obiwan.sandelman.ca> <acGB3/g8HMNNOP4J@ubby> <DU0PR03MB86960694D96A2E52CCED6440864BA@DU0PR03MB8696.eurprd03.prod.outlook.com> <6952177E-8DC0-486E-980E-67CD5A0E1569@inkbridge.io> <CAH8yC8kCHDqaU5q6Ct8ZPCO+5cYJC+a+zEf8JD2Q7XZuYng7pQ@mail.gmail.com>
To: noloader@gmail.com
X-Mailer: Apple Mail (2.3826.700.81.1.4)
Message-ID-Hash: 2QH7LSJIKS2PPYL4UI2QTUQ3BZOVPCIM
X-Message-ID-Hash: 2QH7LSJIKS2PPYL4UI2QTUQ3BZOVPCIM
X-MailFrom: alan.dekok@inkbridge.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>, Michael Richardson <mcr+ietf@sandelman.ca>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D8TDAHK5kuW-W_lceNg_lDJDwcE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mar 24, 2026, at 8:18 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> Regarding Item (2), wouldn't Trust on First Use (TOFU) work well?

  Sure, for some definition of "work".  The traffic would be more secure than using raw TCP.

  But there are questions remaining.  Is the server you're connecting to actually owned by example.com <http://example.com/>?  Is it authorized?  etc.  We just don't know.

>   Remember, TLS is only intended to be about as secure as brick-and-mortar stores.  It is not intended to be as secure as Fort Knox.  The biggest threat in mail systems seems to be the mail operator reading your messages.  That's the insider threat in brick-and-mortar stores, where employees are committing an equal amount of the theft as external customers.
> 
> And who needs a CA anyways?  All we need is a hostname and a public key.  We don't need a CA to bind them.  The hostname and public key information is presented in an end-entity certificate, so that's all we need.  The self-signed certificate can be hosted in DNS and retrieved as required since that seems to be the modern equivalent to the X.500 directory.  The world does not need to be adverse to self-signed certificates just because the CA/BF does not care for them.

  I find it a bit surprising that certificates can carry a substantial amount of information about purposes, authorization, hierarchies, etc.  But that pretty much the only way to make them usable is to just ignore all of that.

  Alan DeKok.