[TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
Richard Barnes <rlb@ipv.sx> Wed, 11 September 2024 14:24 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111EAC14F5FE for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 07:24:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id miKnMJtbCxhp for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 07:24:18 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 586FAC14F5F2 for <tls@ietf.org>; Wed, 11 Sep 2024 07:24:18 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id ca18e2360f4ac-82ab349320fso205680839f.1 for <tls@ietf.org>; Wed, 11 Sep 2024 07:24:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1726064657; x=1726669457; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9+zYP81L2TweCVuOFbumGPcUi/XYAwNEE7aG3oS6QXw=; b=eM8rBDS6ViDs9y2fHmPgSAJF++FM+oiUU0/vr1gqV1EEJMo5lpgnoAal8hpcYrBvuI bCLIKNy4KUI+mHDybwVzFt699uOVuK9315/esQD+f8p1CEthKmve1ksirXFVkx2IE637 G9WvbJHaNby5xPbvUC767OGT0U+Tlk9kNBrfXExAXSifjvfk4JhNt9Dq2Jx7UZ9o9/gu jQTCtm/ENs5D3vckdQ0bD07j9JPGL06A2I5siwvqQDam3i+E37FwmDWN2Sjcyd1TAqfl Z2Fe9MAl0nJCIBvtadU9z7pnYrlJJmlER/SvedVPeFMtHV/5fTk6uni1s5bHHJab6g4C yYfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726064657; x=1726669457; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9+zYP81L2TweCVuOFbumGPcUi/XYAwNEE7aG3oS6QXw=; b=PFYzDdMWkSYURnP2O+zuHK/8b5N7WLmuXFG0Fvdy0TvSu3pWonXQpVshFrf4lFW5hX n1p14+kyYKfe0Aoc12VDUM1YV1lx+OSIry+BN/GvkHzAVY4jn59RRulACphmEQOvxAbM 48GN6Yy0PKNAHIsdpZGNacut1zyCSNp2T6C+ZgdCcNm7GO02Chv98gKgbDbbYNSe7W00 vgF0FBW+d8rikAhMG0D+C/A96vyzf70uRli840mfnfbBeSLh+q+rnYh8c1KigpOjWqw3 Iv5ZAIPrPQQWXD5PCJyLmUjqi+Sj0In3nvMVN985J4tbyPLXwp4znGwP663cF5ZgZekY kPAg==
X-Forwarded-Encrypted: i=1; AJvYcCWPTnjW0hhuO/tZMetC6Aqh2RWtdwf4cp/uUgq6Qpq4pWSpb7yI4vZiM4gLrC+D80pKBvA=@ietf.org
X-Gm-Message-State: AOJu0YzkXDjzaWnARU9hl4HE901kRSjkJfSjEuvC+FORDB04MWq9tNqS rabwsz2gFasx2JjWvQnFsOD/rF4blU7S/VlIyYg+CLji9b7G8hxOJvKxGlGnl+trpBh92oQ4pzg ZVnmnB+vgj/yaDoOw5lPwWK8+tg8ecdDpP/2WZcOHKH2FVLEu0wTJ9Q==
X-Google-Smtp-Source: AGHT+IFEo68xYBZPZXi9R43vOra7ghfTCQUL8EpLqJtdR/Wq1gehr0pMNlkXtFG9JWhmNvD84UprF8f2vVRD/pRsOTA=
X-Received: by 2002:a05:6e02:17ca:b0:39f:60d7:8146 with SMTP id e9e14a558f8ab-3a0572cea10mr145661835ab.0.1726064657215; Wed, 11 Sep 2024 07:24:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAHaGKyeSBGD4AAbnddiWtG7kEvh3Y6mbTyAgw485UfJZhFKXkw@mail.gmail.com> <7CF1C293-C236-4D41-B054-EB0E8B127BEA@sn3rd.com>
In-Reply-To: <7CF1C293-C236-4D41-B054-EB0E8B127BEA@sn3rd.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 11 Sep 2024 10:24:06 -0400
Message-ID: <CAL02cgS_9ZPKuL_Dm19Guf67u8sDm-AK=cy+WeLVT_juVHQrUQ@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="000000000000c0d6450621d8be34"
Message-ID-Hash: D6ATCFGRDJJ2PY3NW7EGYRV5HKRENMP3
X-Message-ID-Hash: D6ATCFGRDJJ2PY3NW7EGYRV5HKRENMP3
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Mark Robinson <mark@markrobinson.io>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Or_c4UfctcSlpIHQToAc2ez9iv8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
+1 to Sean here, it would be easier to evaluate this with a document in hand. And in particular, a list of ways that people find mTLS is failing in practice. I am generally skeptical of this idea, at least as a TLS WG item. In pure TLS terms, there is no such thing as "one-way TLS" or "mutually authenticated TLS" -- every TLS handshake supports both modes, and every TLS handshake could be mutually-authenticated until the server declines to send a CertificateRequest or the client declines to provide a Certificate in response. In other words, I disagree with Olle's and John's assertion that there's no definition for mTLS. There is: "TLS where the server sends a CertificateRequest and the client sends a Certificate" Any TLS handshake where that happens is mutually authenticated. An RFC defining "mTLS" that adds a bunch of extra requirements on top of the above will just deepen the confusion. "In this scheme, we use mTLS between these two machines" ... "Oho, but you don't color the bits yellow and configure the PKI like RFC XXXX says you need to do for True mTLS". If there's anything to be done here, it's recommendations for configuring TLS stacks to be compatible, probably largely focused on PKI considerations. Informational, not Proposed Standard; UTA, not TLS. And even then, we need a lot more precision on the problems to be solved. --Richard On Tue, Sep 10, 2024 at 11:21 AM Sean Turner <sean@sn3rd.com> wrote: > Mark, > > Hi! I’d suggest writing the I-D [1] and then we (the royal we here) can > figure out where it goes; could be ALLDISPATCH then TLS or UTA depending on > ALLDISPATCH outcome. Additionally, discussing at the ALLDISPATCH session > would get much a wider audience, which I think would help in general. > > spt > > [1] Submission deadline for IETF 121 is 21 October. > > > On Sep 9, 2024, at 14:42, Mark Robinson <mark@markrobinson.io> wrote: > > > > I've been doing a lot of work lately to support organizations that do > mTLS between each other. The problem I've found is that there is a huge > amount of ignorance on TLS in general and mTLS in particular. > > > > Would it be appropriate to write an RFC on how to make > cross-organization mTLS work reliably and at scale? Would this > group/mailing list be the right people to work with to make that happen? > > > > Mark > > _______________________________________________ > > TLS mailing list -- tls@ietf.org > > To unsubscribe send an email to tls-leave@ietf.org > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Is there any interest in an RFC on how to d… Mark Robinson
- [TLS] Re: Is there any interest in an RFC on how … Salz, Rich
- [TLS] Re: Is there any interest in an RFC on how … John Mattsson
- [TLS] Re: Is there any interest in an RFC on how … Olle E. Johansson
- [TLS] Re: Is there any interest in an RFC on how … Iyer, Sudha E
- [TLS] Re: Is there any interest in an RFC on how … Sean Turner
- [TLS] Re: Is there any interest in an RFC on how … Richard Barnes
- [TLS] Re: Is there any interest in an RFC on how … Joseph Salowey
- [TLS] Re: Is there any interest in an RFC on how … Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Peter Gutmann
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mark Robinson
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Richard Barnes
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mike Shaver