[TLS] Re: Transparent TLS Client Auth (t2CA)

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Thu, May 22, 2025 at 1:58 PM Eric Rescorla <ekr@rtfm.com> wrote:

> On Thu, May 22, 2025 at 10:28 AM Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>>
>> I accept that most people are going to go for a free DNS handle issued by
>> a handle provider. But a system in which users have the option of exit has
>> completely different dynamics to one where they are locked in by switching
>> costs.
>>
>
> Yes, I agree with this. But even in the case where the DNS handle is
> associated with my own
> server, that server is then likely hosted by some DNS hosting provider,
> and so we have to
> worry about privacy via that provider.
>

The amount of information available to the Handle Service Provider is
pretty modest unless they are running the OAUTH IdP and this is all about
taking them out of that loop as well.

Google knows a heck of a lot more about my use of my OpenID and the
difference is I really don't have much choice in OpenID providers. I would
much rather trust a HSP I picked than Google. I do not trust Facebook at
all, they just blocked my wife's account for absolutely no cause so they
can demand she render up some biometrics to Caesar.

* Allowing the site to control the timing of the authentication
>>>   (e.g., offering you connect unauthenticated and then upgrading).
>>> * Allowing the site to offer multiple authentication options.
>>> * Allowing the site to control the look and feel of the interaction.
>>>
>>
>> I don't want the site to be doing any of that. I want there to be a
>> single consistent authentication experience across everything. Without
>> consistency, users have no idea what they are doing and the scheme is
>> vulnerable to social engineering attacks.
>>
>
>>> What matters here is not what you want but rather what the site wants,
>>> and in my experience they want these properties.
>>> So, again, I ask: which major players in the current ecosystem are
>>> interested in this.
>>>
>>
I missed this the first time. Are you serious?

'What matters here is not what you want but rather what the site wants'

So, we only listen to the businesses and corporations, not the Web users?

I think you are dead wrong about what the sites want. I have heard many,
many sites say they want OpenID without having Facebook or Google in the
loop. They absolutely do not want an auth system that has their biggest
competitive threats seeing who visits them.

The target 'site' in this case is the HTTPS server built into my next IoT
>> thermostat after the current one is disabled because of malicious
>> obsolescence.
>>
>
> OK, but there are still vendors who need to do things, so I think my
> question continues to be relevant.
> Which device and/or browser vendors are interested?
>

Well, since I made the first version of this proposal on Monday and it is
now Thursday, I expect the answer to both is 'none' and 'one'. And the one
is only because I have my own browser that I use as a testbed for things.

I don't need to be able to log into my thermostat from every one of my Web
browsers. Just one of them is sufficient and it doesn't need to be fully
featured.

The client auth part is not currently critical path as far as deployment
goes. My expectation is that DNS Handles will reach 500 million users over
the next few years and that in turn will drive at least one browser
provider to support privacy personas based on that.