IETF Logo Mail Archive

[TLS] Re: PKI dynamics and trust anchor negotiation

Watson Ladd <watsonbladd@gmail.com> Fri, 07 February 2025 01:09 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E687FC1D8D73 for <tls@ietfa.amsl.com>; Thu, 6 Feb 2025 17:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRy6mtm9zYzU for <tls@ietfa.amsl.com>; Thu, 6 Feb 2025 17:09:05 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C67C1D8D57 for <tls@ietf.org>; Thu, 6 Feb 2025 17:09:05 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-38daf09d37fso1061467f8f.1 for <tls@ietf.org>; Thu, 06 Feb 2025 17:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738890544; x=1739495344; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OjUgjSP9qtxzjVjkMTTpKjIWoDZNV+cGAQJXuQvqIzg=; b=iBo/Z3UIwFUAaA+2LbCyvXEQc0uRlqHuRk8vSw+Suz7ojYeH5xrgKTleu3LkHK5KhZ rQiQJqXfYRrn1ljwEqZBwBg+aYrMzTYIJnM+zANidYpY6bZht8ZFmCYoN0mvdn4fOlXJ hESX+aHksUFIQoYFcbeyL1jDpecusIJ/af+PB7EFMj9o659+Xn7WZ6wNBPU47qxKM0TQ IpblRBOc/qTMjVBcwSsPu1XLIyF2sviS52Y6CSnvtv1ktkmcP78GJbqGRnjVFGFVAcmu IcLt8+xkJC4u+B08mcIyF0IyLcocXc2bTo3l20WpTSK+yHPyJQDuipeu52ZtQdE0PYBT hPkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738890544; x=1739495344; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OjUgjSP9qtxzjVjkMTTpKjIWoDZNV+cGAQJXuQvqIzg=; b=G5Gka2ZZZpWj+WHV7VBzArcerjM9241g753zPW9vEs0nlCPTT7laU0KgkKcOhRpuJB Z4Cv243GfVuiGdNdICUl5tJtfvTEocJe8GaY+mjPQB8PCigQihwNscmGDGAZ+qYjTGWZ DVH6SwYRWcN1aadfXjKEvwzswNwwLgVdZMTfBiY4Q2WdtRx5Uc8YPRcPpGUEa2w09Ug5 oOHR28UJdF/Dbp19UlWsxxaIIl/j0CNHsTCIgM2OP4tT5Z0+D6POB8Pc27a5bXKjBb9u cQ7a/sKpQj8mo3bEdBBMxq6S9c6RMQJ9DPDpG6h2jErxS+S7IznfpySjALqHSc+1eKsu nCZQ==
X-Gm-Message-State: AOJu0YwE1qO+an9WHqDW/94ZCaYeCsseJnZQjk+A+QRT8+W795f6icrE PJ6h4QnAquqGoBDCW4IDDaBM3BK+pgHjkIa0kbrLVnE8wrBmlulOWBNEpDYWf8f1VjnKnp4gDmm OaETy4AK1v/1phE73HgDwUTAt3lo=
X-Gm-Gg: ASbGncvCyjzToJwoIAEVSmY0pF7lqtKq2wUQqKZfPBLfNi6+wI+Zr5N6T2c9J7NfdPf OmvHpLcnL5PMMypoKGUijdyLBKOHr0w8/8zfCsq8XtjoubH9OKUYQWqoZg+zfOLBv8iwOka4xJJ T8TWVWsnC5Hxwl5/Rx3gIOGulyVa4=
X-Google-Smtp-Source: AGHT+IHt3/1X8kUrHOXdr1lRSZwHOw+ZJnekE/Z6APLvxDzrFp7drBV+l+A+ugZKrBBNEXn83qUFL0Ocb3/66os6I8g=
X-Received: by 2002:a05:6000:1faf:b0:38a:873f:e31f with SMTP id ffacd0b85a97d-38dc8da6f40mr695799f8f.1.1738890543715; Thu, 06 Feb 2025 17:09:03 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaANSCodvYKAxSJf1EFnJaXmFAfD+USCg+kRVY9eRa1zow@mail.gmail.com>
In-Reply-To: <CAF8qwaANSCodvYKAxSJf1EFnJaXmFAfD+USCg+kRVY9eRa1zow@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 06 Feb 2025 17:08:52 -0800
X-Gm-Features: AWEUYZmLiXeQi21B3Euycah8CCt9gavoEnQ4mHhiBOxrvkVOnNuKZJ9DALunLkE
Message-ID: <CACsn0ckxGKq2pnNrRXqyb1UtHnJHunByrEmr3o=1Y5XrWx4X0g@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: CSRD4V5XDHDITNCLQSUTGE45WLVI7VBE
X-Message-ID-Hash: CSRD4V5XDHDITNCLQSUTGE45WLVI7VBE
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: PKI dynamics and trust anchor negotiation
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/T9uM35mOFi63WJjRUhwgUdy77Hs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Dear David,

I have to start by apologizing. It's not until now on reading your
email that I've come to the realization of what the issues were with
at least the early negotiation proposals in a way that makes them
clearly articulateable, and I think earlier on it would have been more
fruitful for me to have realized them. I've also not necessarily fully
digested the latest proposal.

If we were to have used certificate_authorities to negotiate, every
client would be sending a list of all the authorities it recognized,
servers would intersect them with what they had, and sending back the
result or an error if there were none, perhaps with some indicative
information of what they had on hand. In this world a new client would
be just as able to send such a list as any other, and servers could
recognize shifts in support and change the set of CAs they use
accordingly. There would be no additional mechanism inflected penalty:
if server A and client B can connect, they are able to determine this
fact, regardless of whatever deviations from commonality each one has
in their contribution.

A negotiation where what is advertised is an inherently opaque
pointer, and where each side must maintain an idea of what that could
mean, does not have this property. Servers have to explicitly act to
support the new identifier by getting a configuration that includes
it. Whether or not this is indirectly away as part of ACME doesn't
really change the equation. New clients can't count on server support,
unless they advertise an already existing value. There's been various
ways to express deltas to try to solve this, but they all involve
paying a penalty for deviation.

We've been through this before with the web platform looking more at
feature detection than painful UserAgent sniffing as browsers keep
telling all sorts of lies on top of lies.

There's also the fact that we've gone back and forth about how to
negotiate parameters, regrouping the possible dimensions a few times
and in different directions. We also have to deal with OS stores; this
bit us with TLS 1.2 where the set of supported algorithms had to split
out leafs from the rest of the chain since different implementations
could be used. I'm not sure that starting off with a tight coupling of
a bunch of dimensions is the right idea, but don't feel as strongly
about that.

The dynamic I'm worried about most then isn't fracturing: as you point
out there are some countervailing forces where people want easy
support. Rather it's that we artificially drive up the price of
picking different CAs than the dominant implementation.

Sincerely,
Watson

v2.29.0 | Report a Bug | By Email | System Status