IETF Logo Mail Archive

Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS

Bas Westerbaan <bas@cloudflare.com> Tue, 29 November 2022 00:04 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23329C14CF14 for <tls@ietfa.amsl.com>; Mon, 28 Nov 2022 16:04:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvFX14mn7rZq for <tls@ietfa.amsl.com>; Mon, 28 Nov 2022 16:04:26 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6BDC14CF10 for <tls@ietf.org>; Mon, 28 Nov 2022 16:04:26 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id b73so15457959yba.4 for <tls@ietf.org>; Mon, 28 Nov 2022 16:04:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Yh2P49RaPSau8GDP5kwTj7wEZ/yZqNQhCY2RCsE05pU=; b=sZsUa71D/KeWRulYjhCBA02VfpiyPK8RYpiBCaEuFxAk3UVCfFQH4ghQkMDd2mHcm9 du5nUy99tY1AvtD1NfIj0qRFp/R4GUImA9Kf2YU4rdTlHwWxk7O7Jerq2ZREUBMdFsgv fgr5Go+QUtGobN7QJAArvYvKp5BgWbXE7o+vY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Yh2P49RaPSau8GDP5kwTj7wEZ/yZqNQhCY2RCsE05pU=; b=EkmSLjfAN701mwLfQPP/gK1Lpj9y1EmHHuPVWsXlRrR+ERUjHA7Cqw/YVo59tK0rsz my6zyAhzhiecdOQI+TdfmGimMgbnmXRMQKJDzxqwbOM3m/6krIYxa7RQ87kmRVL0TT00 znuyLe7ve9la457Fy7jrS+Ip+o9y+6uirhx1fVgS3qVLWOi0TktBx3b337Vt2WUTT63C z6vF9g7J0CK/uViIimBjAVipzYIgKpu2t8QCtEo1qg4+OBIAf/eIh0aiZwf5yCbObqoe STpsthIUL0Yu/AgHaiPsrhtb0xMfmJN5lIKMvkJz2UlF/BcdmVH0Nig3oc48g7Lool5Q LTHw==
X-Gm-Message-State: ANoB5pkzhy1xuYrssoeoeUrPsOxhJscJpJnsqxgr5zi3uR9tfiwkugcX JDoSnv05maHh+HWGSWXNFb66UVCT70kIZxVlPPJ9tZI0SF/hWw==
X-Google-Smtp-Source: AA0mqf7om5tfzuNsPMgHTglhzcDkQ/I9+P620H/Bn77am2ESD5XXrbcIkpnUGO7QE5PfwbxrVIuoxYHaKIYpi7ZEMus=
X-Received: by 2002:a25:1883:0:b0:6cb:9c20:795a with SMTP id 125-20020a251883000000b006cb9c20795amr52994587yby.474.1669680265632; Mon, 28 Nov 2022 16:04:25 -0800 (PST)
MIME-Version: 1.0
References: <9jom-o0k2EKlsgFmAQfJqg2oBOK_bEw9D1VvMz3nmF4L4K1vftMPU916SKERU48MSk10IakHBzdPD74CMFYha65rdhg-8PqDpPpArSfYuPI=@olliejc.uk>
In-Reply-To: <9jom-o0k2EKlsgFmAQfJqg2oBOK_bEw9D1VvMz3nmF4L4K1vftMPU916SKERU48MSk10IakHBzdPD74CMFYha65rdhg-8PqDpPpArSfYuPI=@olliejc.uk>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Tue, 29 Nov 2022 01:04:14 +0100
Message-ID: <CAMjbhoXbJamGzM3KK8QU2_Qnu3E9DUvX1A_OvqqUFmbTOtTQrQ@mail.gmail.com>
To: Ollie <me=40olliejc.uk@dmarc.ietf.org>
Cc: tls <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f4ad205ee90bb34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V7xZ8sCitK3Bw6fGc_NLXBmXWSI>
Subject: Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 00:04:31 -0000

>
> In essence, I'm proposing that user agents should trust a fully DNSSEC
> domain with a TLS certificate set up using DANE, along with changes to CT
> log submission process to allow self-signed certificates (looking to
> suggest via rfc9162).
>

How do you propose we prevent CT from being DoSed by a deluge of
self-signed certificates?

Best,

 Bas

v2.23.0 | Report a Bug | By Email