Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake

"Salz, Rich" <rsalz@akamai.com> Mon, 10 May 2021 13:03 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DCAB3A1BF6; Mon, 10 May 2021 06:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqIJ9ewfGURO; Mon, 10 May 2021 06:03:40 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6B3F3A1BF4; Mon, 10 May 2021 06:03:40 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.43/8.16.0.43) with SMTP id 14ACih2f008004; Mon, 10 May 2021 14:03:39 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=NVMwvcGcUY/q77PkrE/VrOODkjThjcFKJ3Fy2ad1SiM=; b=ftR0VMAA7NIfdW8FYbCRIdKh7u5CfkV4E39fBnFTmu6OFYDJh4wyLXB9B6B7THx7NbFy /wEollFI9LuKCReVyqjvfiQTk9N/RQvlNPW7CtJvBVOxYYg4djSr8mI0kjGf6RVewcO+ 1z3EkGEeA/woe+BCpmtSZxA+fZmXwWU34TW+CY8N50H3gSqOfaFo8Z4S8zcL2nV5COBr S33Z/KeArmxSiZ/bkdE/XG+hllFLrSnmjhQlVzRRW8x8gOdbwY3aaHrqibRbi4hx2dVH KaE2YCDCqbCplcxq5tDa1vL/JK0ZfJ3vB0SQL2fEMjCCEjq06CDPQE0n8Cwx+IuzO9d3 xQ==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 38eqqdmhqu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 10 May 2021 14:03:38 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 14ACnQ6V024886; Mon, 10 May 2021 09:03:37 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint1.akamai.com with ESMTP id 38dp00cv7a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 10 May 2021 09:03:37 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 May 2021 09:03:36 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.012; Mon, 10 May 2021 09:03:36 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Melinda Shore <melinda.shore@nomountain.net>, "tls@ietf.org" <tls@ietf.org>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: [TLS] Certificate Transparency for Client certificate in MTLS handshake
Thread-Index: AQHXRPa+OGtyBeRhDk+HfbITlKocGqrb6+oAgADD7YA=
Date: Mon, 10 May 2021 13:03:35 +0000
Message-ID: <DD1EE792-A70A-4DD9-BFC5-2BD011F6F29D@akamai.com>
References: <CAEpwuw2tBLn-7b1YBXf3YfS4WXM-JrKbfHsQPt=_H4FYKYdmVQ@mail.gmail.com> <7d9d6d72-2471-e983-ffef-71c5a706abeb@nomountain.net>
In-Reply-To: <7d9d6d72-2471-e983-ffef-71c5a706abeb@nomountain.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050201
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.118.139]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B522D9F79C3C8B409EA51D2859B50D33@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-10_07:2021-05-10, 2021-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0 mlxscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105100091
X-Proofpoint-ORIG-GUID: k69nzr2znvYQH3vt5uXbCpjL3j_yaMG8
X-Proofpoint-GUID: k69nzr2znvYQH3vt5uXbCpjL3j_yaMG8
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-10_07:2021-05-10, 2021-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1011 lowpriorityscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 priorityscore=1501 mlxscore=0 adultscore=0 phishscore=0 suspectscore=0 impostorscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105100091
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.18) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint1
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NbnBJajjJaT7CQ6kujDfAh2vzTw>
Subject: Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 13:03:45 -0000

>  But I have to say, the core problem this proposal
    faces would seem to be lack of demand on the part of folks who
    consume client certificates.

Agreed.  In our experience, client certs are deployed from an enterprise PKI, and the receiving consumers assume valid issuance. I'm not aware of any of our customers (the few that use client certs) who also use a public CA, or even more than one.

Added the trans list.