Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake

Mohit Sahni <> Mon, 10 May 2021 13:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 069663A1D84; Mon, 10 May 2021 06:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zP09pDODl7wZ; Mon, 10 May 2021 06:50:26 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 98E253A1D8C; Mon, 10 May 2021 06:50:26 -0700 (PDT)
Received: by with SMTP id z24so14824512ioi.3; Mon, 10 May 2021 06:50:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J3GinV5WkL5gdgUQa5v82kd+Z1DgXb79OfiWQVm6HMc=; b=nKi7+NXFU6+TxCeZbWoFKxr12SAvlg1Jt4m2WmxwxOJsQYyyqVSAj3oaGUAlw8QJfP Uqb5FRWif0iA90/H1JWDWAuBq24bfeNTaQ+iY8hQ0lTNU10dbfWJ+41iJd5Z+xbI+dlm iukuBfzoMkpZmnVQ4Vi/Dmw0vaXDG3SxM0H6AkwTbGoudfeG4RqYX/RrABxYpp0bpAcO d1CRe/b1FZkDB1Sl4tmX1e8RM27QUU/Mqb+0eOiIhK5x1tOEp7EZPfnAvqVE/+VNQhsn kT2+IiRhXOiXUxnk63b6urAeCXuUw6rNW5eWrNsUSN1zyCBaTb8Yv8HJS9Ve3ExzUtMQ f+Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J3GinV5WkL5gdgUQa5v82kd+Z1DgXb79OfiWQVm6HMc=; b=SE8/6t8lD+OUApgOyr2o42CkUA6FC0QwBkfVDqNWXUL6aMF7M02EKqVeSD2RXi/BS7 FITbqkEPh1fWxY1KJcaOxziX1LOO0peOKR6pmMuwkuSWy5zsiHFNMGq2hfPplvURpn2E Sif01P7e7LP0Tbp4DiqEQZwohQP8fqcEzvagU4h0xcvMpSzUC9vv09dpeDdwCBIz8L2E WSQhWrr9Vt65B/NiweghcN8YCZL75XxNZSPWM66mOOCCDNLweb5YEVHnxGCxGqyTrRCP t3N60wq3hLsfq3+1IS3V5Hs96RUitq1yO9khqLyJe7AHJAuIVC270DUCGm8BCeu3dPcl MGEQ==
X-Gm-Message-State: AOAM530KY6Jug4vDK7V6T3aNV2fuIx7cJrvXZGHV2D0d9HnpG5V9UaHt e6LYf0l8vMErZeudMpwOhW30YF2SGY4nFZW/E4i6XOeRKJU=
X-Google-Smtp-Source: ABdhPJwo9BhlF0aCdskVeqA0qC12tAfAwlk1N91JXAIFGsEh11YI6DwJJOHcL3WhUCS8boAiAz7ePY8BaDwF8gd/GZk=
X-Received: by 2002:a02:3304:: with SMTP id c4mr21823967jae.68.1620654625187; Mon, 10 May 2021 06:50:25 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Mohit Sahni <>
Date: Mon, 10 May 2021 06:50:14 -0700
Message-ID: <>
To: "Salz, Rich" <>
Cc: Melinda Shore <>, "" <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 May 2021 13:50:36 -0000

Hi Melinda and Rich,
Thank for your comments, I agree that there is not much demand from
the enterprise PKI but with the rise of IOT devices and automatic
enrollment for client certificates, a need for some auditing of all
the issued client certificates is becoming more important. Managing
large services that use client certificates, I feel having some
assurance that the clients have SCT logs and are not revoked will give
me a better sleep at night.


On Mon, May 10, 2021 at 6:04 AM Salz, Rich
<> wrote:
> >  But I have to say, the core problem this proposal
>     faces would seem to be lack of demand on the part of folks who
>     consume client certificates.
> Agreed.  In our experience, client certs are deployed from an enterprise PKI, and the receiving consumers assume valid issuance. I'm not aware of any of our customers (the few that use client certs) who also use a public CA, or even more than one.
> Added the trans list.
> _______________________________________________
> TLS mailing list