[TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
"Iyer, Sudha E " <sudha.e.iyer@citi.com> Tue, 10 September 2024 07:39 UTC
Return-Path: <sudha.e.iyer@citi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4967C16942E; Tue, 10 Sep 2024 00:39:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.448
X-Spam-Level:
X-Spam-Status: No, score=-10.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=citi.com header.b="hZHdi1VB"; dkim=neutral reason="invalid (public key: not available)" header.d=citi.onmicrosoft.com header.b="gxnQ2xiL"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BH8h2o4D8kzj; Tue, 10 Sep 2024 00:39:28 -0700 (PDT)
Received: from usermailout2.citi.com (usermailout2.citi.com [67.231.153.205]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9B5C1840EB; Tue, 10 Sep 2024 00:39:28 -0700 (PDT)
Received: from pps.filterd (m0340562.ppops.net [127.0.0.1]) by mx0a-00123c02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 489HEpQf025465; Tue, 10 Sep 2024 07:39:27 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citi.com; h=content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=maila; bh=hANSKXvTDNBr9l4o/Jmxlzic2hB4uhbTMsM/lw+Bcdk=; b=hZHdi1VBAl3SJpU8McASuCzLTWeXzWXOcyCQHzFGLn0uZp7BMQtl3m7zWAu/1Rv5mMO4 NcQvH5NPhOoJx947BxBHajOxupt2GrB0CxBC1HZUhbSgQgn2elSebLX6eopfQ2PcIDfK pt4Qz/C4HgwAtGxw1X1/kkSkeadWXQHqHTVOy370oDETqLuLyq2Whdsi5SmGzTSXfz5Q xQq+LvukGvsYVV06XgK1iC6eeSpLLzkAsUqWfxIuLxcskXBFo9YOxI1ZRGdCRHE3p8YX LLhhEqhO2c6xIEIF7gWR84d5q1obWb/GQF/NTFV8c+Ab7C4CdsAWGJEJ0eIVaA6s3DIX 9g==
Received: from mail.citigroup.com (2._spf.citigroup.com [192.193.193.87]) by mx0a-00123c02.pphosted.com (PPS) with ESMTPS id 41gfsqvd4b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Sep 2024 07:39:27 +0000
Received: from imbhub-mw55.nam.nsroot.net (imbhub-mw55.nam.nsroot.net [144.215.143.18]) by smtpinbound.citigroup.com (Sentrion-MTA-4.5.9/Sentrion-MTA-4.5.9) with ESMTPS id 48A7dQQJ224577 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 10 Sep 2024 07:39:26 GMT
Received: from imbdlprt-ru06.nam.nsroot.net (imbdlprt-ru06.nam.nsroot.net [150.110.235.37]) by imbhub-mw55.nam.nsroot.net (Sentrion-MTA-4.5.9/Sentrion-MTA-4.5.9) with ESMTPS id 48A7dPQl002735 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 10 Sep 2024 07:39:26 GMT
Received: from imbdlpbuf-gt03.nam.nsroot.net (namdlpdimpmw21.nam.nsroot.net [144.215.202.29]) by imbdlprt-ru06.nam.nsroot.net (Sentrion-MTA-4.5.9/Sentrion-MTA-4.5.9) with ESMTPS id 48A7dM3o144855 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 10 Sep 2024 07:39:22 GMT
Received: from EUR05-DB8-obe.outbound.protection.outlook.com ([104.47.17.104]) by imbdlpbuf-gt03.nam.nsroot.net (Sentrion-MTA-4.5.9/Sentrion-MTA-4.5.9) with ESMTPS id 48A7dKeU026020 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 10 Sep 2024 07:39:21 GMT
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PrjlG50RC5LHADAO2mmS8wcybV49mLNdUePXOJOZdMddPNlDA50jqCHZ5/o6/71TtFI6xyB871n/rZvaP0ID7SQhRccnYxWfmTIa9Y+AnEeVTGMOrDnPg/V9djNI04f3oVr6Ohd4vxHhb6eVY4IyRIeXZiVULwijxxFacBGMGSo8P/Z5byZbFx+/eKhviyNxbQv4DQtwR35ML4F3RxlC+uRBYPMMWKUpMUBv+8UFdmgO1/cmbUEiW7LoE/+PePVVmj+wNmAduXN340OYxDy4w3p5IEtp9/m4MgDvjQvmCZ+hl3r3LNYY7PDZdJs3RVQVTZOhFWPBSb+D5bohm1kl/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sKvml2qyx7+CBRlya+1Sn10KVSUgqFG2v0FsyzSr7p8=; b=If5R7nOC50JeU7SIKQscbheov8tMwRlBpZCy9zUrEObLkRdUn/YdNs7owP74pOkuyTSBCEGYNxjIZSRyDMkdzR7nlq6QfOnbJvc4n6mgnz5bkiRqzmWde6HZwAjYIzI9S9kcF6e5HvABcbXlZQYZswzm6NMdJ6m4zjB+C1VLkl163ZjFRTklkVLINtczoFoMPB2nZMK7cpDAX/5JEAkDUt59qGHvrH4rgZJuLe1yuXTS7aMsADgaDQCsr78HEBLKWDI/aCDxzqq2hnqP+wLK6i4MMxy059G6duki9o0Ai7KouQkSU0kQ1JDOpAosJZkQrIOcZiaR355cm2DTNIrRyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citi.com; dmarc=pass action=none header.from=citi.com; dkim=pass header.d=citi.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Citi.onmicrosoft.com; s=selector1-Citi-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sKvml2qyx7+CBRlya+1Sn10KVSUgqFG2v0FsyzSr7p8=; b=gxnQ2xiL5/JzySlJZhG2POgkSu+o9rsxgaXg0VYd1rwm9/vqeov1Sy6E/I1YMhByM8HkLFCiEUH4qcWtRnIveWzDwmRxwp6lMpsN3+Q/YFZrjJoOpcbgfXTZSuecXx6Ls9re37OsowaUfmHfCVL8A0BJSAyQlat/4xX/x0UozsA=
Received: from PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:310::19) by DBAPR10MB3994.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:1cc::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.23; Tue, 10 Sep 2024 07:39:19 +0000
Received: from PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM ([fe80::9e52:25d1:3c92:dde]) by PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM ([fe80::9e52:25d1:3c92:dde%5]) with mapi id 15.20.7918.024; Tue, 10 Sep 2024 07:39:19 +0000
From: "Iyer, Sudha E " <sudha.e.iyer@citi.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Mark Robinson <mark@markrobinson.io>, "tls@ietf.org" <tls@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
Thread-Index: AQHbAvcRcmlRBHtjbUOiPGfJ8a2qorJQnLaAgAAFkdM=
Date: Tue, 10 Sep 2024 07:39:18 +0000
Message-ID: <PAVPR10MB7257C428A13FB5F807CC4AE08A9A2@PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM>
References: <CAHaGKyeSBGD4AAbnddiWtG7kEvh3Y6mbTyAgw485UfJZhFKXkw@mail.gmail.com> <02100E15-44A3-41FF-B81C-B81FCC94AAE7@akamai.com> <GVXPR07MB9678C0193D148ABBEA7FAD4B899A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678C0193D148ABBEA7FAD4B899A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_dd181445-6ec4-4473-9810-00785f082df0_Enabled=True;MSIP_Label_dd181445-6ec4-4473-9810-00785f082df0_SiteId=1771ae17-e764-4e0f-a476-d4184d79a5d9;MSIP_Label_dd181445-6ec4-4473-9810-00785f082df0_SetDate=2024-09-10T07:36:09.9119004Z;MSIP_Label_dd181445-6ec4-4473-9810-00785f082df0_ContentBits=0;MSIP_Label_dd181445-6ec4-4473-9810-00785f082df0_Method=Standard
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PAVPR10MB7257:EE_|DBAPR10MB3994:EE_
x-ms-office365-filtering-correlation-id: 9f5fb70b-3c58-4afb-b1a9-08dcd16badf0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018;
x-microsoft-antispam-message-info: +XG+jun2p4W1XzrjhkDlWRgHdQAmKoIvZhmvFQjJTe9G2rdjPQjeS7ZvRD55Mxs7rWL3OT1j9yUNvSGAKSHcLIQShpx0zrr+10b51TdURxdK/YZ51Tpr8AZ4mEZGaoLiZmMeny3NgGI/Cmx8hgGD3WufO6LtPBiwA/IrgWM+L+jO3UH1Oh/qXhh74WRE44wcEFiqBYCnU8rfTx0JPBPOKGo2IHv2zGIipBM7N7yLW6dD1VUpnHoDMOLwwdajXgjXVo5j5pLqxxHk6K0lIk/sjiUZ2tUSL05/jBfilN4L/tmZmrgQ70hoKXmQPqBf4SCK5SOxn5br1PySgN2/IgNMm1vEsFNNF+aUL0zDzuEN95a9aOJpnV6R6MxLAMH/ioAFybJl2Kjw0Ka5EOjd3+R57w/aI7CIG+yTsLEFoYoV7lr2f/74HVfXUmOSGhs+cdVOBOuW3jytHJ9Ewebpfz2okAVGxy7amgzjcEuvcG6BOExV9HmZoQ+HTypCwnxTAfAuVT65kEDTKwr27XWoXKWfbBsKyhDtfiEV8y0wBP4Qe3Sx6ax2HLMKtWU+wYQmsPo4bB83lbPWuiTBXh16BUvE+dM6U3bMI5pNCj1IBiKgEcc++wMspC3bEhPn+vXBVmS8QJW7Q/erZ5tN6raCt7eJ+b598UHBLo0oWDxS2+1W0cO8xtmRPv9I0P/ZMt4J1wJIXtCxhchqhDg4lyMzFpAzmsmmKBFfNPyVsbiPu33Xc1hg/C1Zxczt4CfJ1jyFsCtM4/gPjG8waaITQ/xqgDnVNr+GzbJ9zIjCq1VX4kUt8VJPpPsipr89rcoMZZF7XyxV61hVlDqfiin8jvnpdSS5dH4LtTYm1RF6C8H2YCb0jXkOiP98eZJ5OWuSg1vUVqf9XYuXDOOpkQDyFUuezg3o6Leunxx1MF/BhAIMAsFaxVk8K0Uz4/0lnKPEyant1tHPE5TQ7b5nuIkHDyD5pKhtuxtc13j16Av4iwx9r0wnqEeza8yyKWaLpTn3w5lIszH6acnAjzxQtvTo+oaTubSOoEXb/rH2lr526znDBXJnbD/NEl+YHsgQZrMK/WMnwZzmV4bVnaKwIJKAXufd9+oZHeL3cQwRmxBH/qH/mATqUwDK58tM+T4EWMq4PBbFP1Hlyf/zAIvTvakpLZGX8G6v0+00QpDeY8RRufEzm6il1JT5Z1wr8wTcat/tZkglRd0PzfRkW0bU38uHVvWPdqbX7wTlYKz09ooQirHmpHPVjDcFhNfkkeqaNqnQphL7dIHCn/EASLCIPM0qifsu6BZYWzhQOrMh1H0OhjE10+qhalXa07hPI4TS0FIZFWa5eV1GELz9figkWIJueXzBB6HP/XgQZr/QHMjUEUNjh906KKExPTdFgmIHmXkARt4mjZRCr33XYXilX7JO8G0hFLdV2w==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2HJI0y0MhwR8/l/C2KEjAS8VIZFBRoqaPON7sPIafWrYL/BCRc4SPi8ZOGeSdBC2l399j0uQcUKj/TOlFfyDBDS1YyzgliBfoFkSGPWTqkO4xPSHTmbsO2GjFD2Rh1iuoFAOJP3FxYqW0rbO3uzzELM98lie/+aXt7ybUlkVtkFan3Y+RF+ONUPxoK9Jo1Fy+2JbRsNKPDH0aIGdTXyGAFKw6hTtJZpQw/dYh1i0DyiL+Z/Eapjx4DxchGocEozi/MBTn3ExPUli3BsN/FbiYOFZnUzHZ99Z86UvJMh0yP2DtiN6cpiuhQa2nJfKQRqQTP0QB+VNyRESQOmTLRxZerBT7cRkhnoSDnG4upRfM1SG5kbY4MtPmiCd39+Lm+sG0ew3Y7u0wVKqNobm0IBELPHjkEyRwtEHQTsAigAx8aqINnhT5QsjhG8qf4i4GMCyFFwT8UhNvZD0JVUfim2OERDpxkJGB1Le3tAxbF92vc9Ug4W0Vbsp6y0EO9RLBrtilSZJKUY81le9YQVA7T3NQ84ap7R0K8pL2tcNHBkXzOvAFkITEyR2XOXDFWka6mQy1sFREH/GlznCzvVZPYJSzEAc2rlpm9BDJdHQfHndIVLiOZVhFPO8FpB2iv1x5YySo0QKBd57t5GPBZQvUdD1w9HRfo3xSz54uf48NHWB96ZRf13x0XCmpa6HJyNsllYJBpFN9QNgBp1+jlI/99gWN5fVdv9PVl7h5a7WPq1WdlSMag3cVAZNfNfpaBNTzKtR+nM+odYdj/WrRyp6ruoCs8U1K7/ginRFCnep/RX0IVAq1q/HEEZrWdgiChWhr7udvKaUMSGoUtqkRhbLNsTCs/cpLGPdrMO3mnnmLrQA0YCp6Gr6Eo5Rl+oC8PiGZUXCj249lsDoCMsor9gvLIIM5kfw0TFTn0AYoY7gYOebMfSlVWACdI+AzhXio8xMaU0EbnM9yj4KvncJeVTlWDs1rjVqHAPAdKcriMCgQNlsY8+a9x9A30lvURm2wIq2auifurUTR0InMWliKqLVxRpUT3zdMWTDayXI0Uu+PTAuikrgTJLo3BA6g57z3+klV7VQZtnQLcPuKhWIlBBxrSNEVT1pZsPfpQZgGKnPLsUCLFf4CC3434f5oBnQnzhN8PnjR4a1IxtcK4yF/b920kCirSN4LBHELgtehInTb+07wlImzaaotMv5LEuvIjCMtKSYGpTiyij7LQDO0iamlX1TmyUd1Tk7h4xMmFC2HuHogS0OdbKPav7kdI5c0wPImZyKmOIS7uDb+D21Eew+qaYeFFdK4V6YZBw7xV2RSLLbFw1IFG/JAfjndhhQqySqiwTprqP/SGW7DDvvZidbbJnpsODzIX82UEr/D33CAnHfPrsve7jOrU3xYOJvEtFhtvFLJA/Z9t2hxsjJ3B+cb/KjIkePfuUxvaldPI4oXvVjw+3QN+a04d8XUNjemLzhsmrx7eggd9lmm86KeBZDmHQaqoOU9xkkyTHm2SIVczrwnwimXimBH/VGN0FWSw9MCtQO6ZYBnafBtedo241R2P6g12+y4NNqaxFEIZmW12dXRlWtu+CjNuQ9/cyB7GqQBNpwXfBttyKB/DE9jeefbTuDbw==
Content-Type: multipart/alternative; boundary="_000_PAVPR10MB7257C428A13FB5F807CC4AE08A9A2PAVPR10MB7257EURP_"
MIME-Version: 1.0
X-OriginatorOrg: citi.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAVPR10MB7257.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f5fb70b-3c58-4afb-b1a9-08dcd16badf0
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2024 07:39:18.9166 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 1771ae17-e764-4e0f-a476-d4184d79a5d9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4M6VHPv6kS1jHNsrl7lgN3c6+XaoQ8+LjOXiMYhEKEgu1V3WofIne7WqRnjAaIelAu8jpoJxnlfVdW5QK73bIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR10MB3994
X-CFilter-Loop: Reflected
X-Proofpoint-GUID: Ua4IAQSM8javTDg0FwhT_7wRmlCSjCVj
X-Proofpoint-ORIG-GUID: Ua4IAQSM8javTDg0FwhT_7wRmlCSjCVj
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-09_12,2024-09-09_02,2024-09-02_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 mlxlogscore=937 impostorscore=0 adultscore=0 suspectscore=0 spamscore=0 priorityscore=1501 phishscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2408220000 definitions=main-2409100056
Message-ID-Hash: J2CLJQX5WR2FSL7FPHZKCZHLXLT2OM7J
X-Message-ID-Hash: J2CLJQX5WR2FSL7FPHZKCZHLXLT2OM7J
X-MailFrom: sudha.e.iyer@citi.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KFNjxKod2NZrgvtMghJBMNF5jc8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I agree. It is also good to cover different reference models / recommended patterns for mTLS vs one-way TLS. Best, Sudha E Iyer | Head, Data CyberSecurity Architecture Team|Chief Information Security Office| sudha.e.iyer@citi.com<mailto:sudha.e.iyer@citi.com> ________________________________ From: [dmarc.ietf.org] John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> Sent: Tuesday, September 10, 2024 8:16:15 AM To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; Mark Robinson <mark@markrobinson.io>; tls@ietf.org <tls@ietf.org>; uta@ietf.org <uta@ietf.org> Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS? I would be very supportive of such approach. I think the scope should cover mTLS in general, not just cross-organization. The term mTLS is not even defined in IETF, in fact the TLS WG has previously used mTLS for at two other things. It would I would be very supportive of such approach. I think the scope should cover mTLS in general, not just cross-organization. The term mTLS is not even defined in IETF, in fact the TLS WG has previously used mTLS for at two other things. It would be good to a document to refer to for implementation requirements. A lot of tls implementations are not at all suitable for mTLS. I have seen a lot of cases where people assume that any product supporting TLS will be suitable for mTLS. But often they are very limited and don’t support client certs, don’t support revocation, don’t support extracting certificates from the handshake, etc…. I think it would also be very good to have a mTLS RFC when TLS 1.4 is done sometime in the future. TLS 1.3 removed a lot of functionality that was important to a lot of mTLS deployements like a forth handshake message, ephemeral ECDHE during a connection, reauthentication, and moved external psk identifiers to a message where there is no identity protection. It is not the TLS WGs fault if nobody was there to argue for the need of these things, but it would be good with a document documenting these things in the future. Note that mTLS deployments are very different and might require different things. Cheers, John From: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> Date: Monday, 9 September 2024 at 22:30 To: Mark Robinson <mark@markrobinson.io>, tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS? Would it be appropriate to write an RFC on how to make cross-organization mTLS work reliably and at scale? Would this group/mailing list be the right people to work with to make that happen? You should also ask the UTA working group if they are interested.
- [TLS] Is there any interest in an RFC on how to d… Mark Robinson
- [TLS] Re: Is there any interest in an RFC on how … Salz, Rich
- [TLS] Re: Is there any interest in an RFC on how … John Mattsson
- [TLS] Re: Is there any interest in an RFC on how … Olle E. Johansson
- [TLS] Re: Is there any interest in an RFC on how … Iyer, Sudha E
- [TLS] Re: Is there any interest in an RFC on how … Sean Turner
- [TLS] Re: Is there any interest in an RFC on how … Richard Barnes
- [TLS] Re: Is there any interest in an RFC on how … Joseph Salowey
- [TLS] Re: Is there any interest in an RFC on how … Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Peter Gutmann
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mark Robinson
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Richard Barnes
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mike Shaver