IETF Logo Mail Archive

[TLS] Re: Transparent TLS Client Auth (t2CA)

Eric Rescorla <ekr@rtfm.com> Thu, 22 May 2025 20:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 94BEE2C02EED for <tls@mail2.ietf.org>; Thu, 22 May 2025 13:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCkAS_0etHNR for <tls@mail2.ietf.org>; Thu, 22 May 2025 13:07:24 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DD5D32C02EE5 for <tls@ietf.org>; Thu, 22 May 2025 13:07:24 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-e7c5d4709caso5158050276.1 for <tls@ietf.org>; Thu, 22 May 2025 13:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1747944444; x=1748549244; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FAZtbT12409XgUNEvw3SzZ2sZs9NZB8+EUv/6EpVQec=; b=Or2Ey8AGRchIbbUbjCeElOqqms/RJqtYQ3tKBIFHeoCr8licbOmiH7/ThMGAvk/jWm jInSuMurhpe5rzywwt++0Hqz8t+lhBdU/XGHkkEkseepNaiEtLd1/3jANUz0m1OmmL+D AfS5HmW1VsGoq6DS5tfoelxN99P+C+IlqnWa2Isc0GbuQWbagDdzuWHwXCKQF/6bBZVZ v2/GppyIDVaTmgsG2otEQyDG+606++hL4JEp+r3b/dwJfglKKlUFlgS4qs8xGjgwVneV 4B1ApFmqJ2dXkIOinW0DY916JHxnAzbZM1WHK9fK/ZpAqfmYN98j7XhnMRETAxCYu1Ck y1KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747944444; x=1748549244; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FAZtbT12409XgUNEvw3SzZ2sZs9NZB8+EUv/6EpVQec=; b=FVj3XjrEM1W/MikO+RcCc1adUu5DA1N8qmxniZDuKolK8uNDWMU3IF/BUYDQB3R8dP qZpPP+ReYQdwoiNScpATFsZJad0gEcz8EsdsJ/yNbaM6vDDP+VCu2ywnZ9+YpFOSbOIJ 1ivrJdoRpt6znYBgNo68fsok5e/xThG4CQotXUwwZX2Hpj4P7Gake6IgvR1HNhmTny0M yDMZoSZIjHjzkueQo0jk4i6Cf7rN41htQdbw4QWFvKJh3N4odqVd5OLwlL402XZ/Ww5m OEo39H0q6Pwp/slRo8JpdjDEYXY0gUYZahBGIN1T2Qu4CjIffSeWr3IAIU7y04E8eWeH DP8w==
X-Gm-Message-State: AOJu0Yy12QtEzDL5tgvE7C0L4w0/mRNKc7Fqpw5LhPwZITdLD5wI2sef IqgylE8oLwqkukQmILm8aqvK9AY4iF3DxSFYfnTHIXjPeDabpMRo63qCeGn39zRxkB/fTNzVjZ6 TcQ7ODhnobFBivPB+imwZjX4kv266rpFktviOr+OXBQolOlHmSWKz
X-Gm-Gg: ASbGncttcFBPioQePCFIGi16+b8d522POxOsVcRYftFWPgYRUj9tYnaKNffRr8jD0E0 SVQE/Wd2piNIernKD0301pdSU0w58M9b60OXQJxXTSL2eBiOtM387MpxQowndtT/w+6d4A6qrKx B5F3RSK6cxbIdmalHtPg6Q8bReWAEczog=
X-Google-Smtp-Source: AGHT+IEhGtIKMzj2s9zMfL/Wyul+nzlAC87S1MYDj8TyRlflHoEVQdiYvVDJ6VkSDEtteOe3Vi86dFVuv6F+yy4/sjM=
X-Received: by 2002:a05:6902:6315:b0:e7d:600c:dd38 with SMTP id 3f1490d57ef6-e7d600ce074mr9165591276.27.1747944444120; Thu, 22 May 2025 13:07:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwgUckd7M4J1wop9srwxaFkfenmibLJ1=-dJb-pfEkXxLg@mail.gmail.com> <CABcZeBMkNs=Uhe5Wv49P8OquN8rn0z_p4cXgB51gS879RFxBZA@mail.gmail.com> <CAMm+LwgszwpdfB5k0ETEfg2cYyestZtq0y5pS7=Y7kzdyoBPbw@mail.gmail.com> <CABcZeBPgxDhqroAUO+fW4Sp6qvSHugd2pym5C2_+jNcQUXaqxw@mail.gmail.com> <CAMm+LwgMgsTyHgkenDU0XsBeRAk3kOb7cfpFhZNpNpOr8sam9Q@mail.gmail.com> <CABcZeBOdmwZkPwXGfYscRDwqO-icWuG1a4=ujQ7RpJBuBJcryw@mail.gmail.com> <CAMm+Lwiz5bsb5sHM2Xnq-8kyTnbBDmS_NjEGirEvMLcnfvP0TQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwiz5bsb5sHM2Xnq-8kyTnbBDmS_NjEGirEvMLcnfvP0TQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 22 May 2025 13:06:47 -0700
X-Gm-Features: AX0GCFsQkWXK5pw9IIGGJmk0ZulVPg2ylfkyRfpH76K4kyfZCwofsDDsrO5-HTI
Message-ID: <CABcZeBMzb5n-vuABTO5LEy_eqFc7S7=J=OY817EAqoFuVTA7_g@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="000000000000adef500635bf0752"
Message-ID-Hash: EPCKGEYGWB3TADF4MJTA7HA3Z3EPJG6D
X-Message-ID-Hash: EPCKGEYGWB3TADF4MJTA7HA3Z3EPJG6D
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Transparent TLS Client Auth (t2CA)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WQukRBt1XNJNmj5bmIgJFHKGkQI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Thu, May 22, 2025 at 12:58 PM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> On Thu, May 22, 2025 at 1:58 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
> * Allowing the site to control the timing of the authentication
>>>>   (e.g., offering you connect unauthenticated and then upgrading).
>>>> * Allowing the site to offer multiple authentication options.
>>>> * Allowing the site to control the look and feel of the interaction.
>>>>
>>>
>>> I don't want the site to be doing any of that. I want there to be a
>>> single consistent authentication experience across everything. Without
>>> consistency, users have no idea what they are doing and the scheme is
>>> vulnerable to social engineering attacks.
>>>
>>
>>>> What matters here is not what you want but rather what the site wants,
>>>> and in my experience they want these properties.
>>>> So, again, I ask: which major players in the current ecosystem are
>>>> interested in this.
>>>>
>>>
> I missed this the first time. Are you serious?
>
> 'What matters here is not what you want but rather what the site wants'
>
> So, we only listen to the businesses and corporations, not the Web users?
>

No. I think we should design technologies that benefit users, but we should
spend our
time designing technologies that will actually get deployed. And that means
understanding
whether there is demand for these technologies by the people in charge of
deploying
them. That doesn't of course mean that every feature of those technologies
needs
to be to the liking of those players, and often it will not be, but if
there is no interest
in the big picture, then I don't think standardization work is useful.


I think you are dead wrong about what the sites want. I have heard many,
> many sites say they want OpenID without having Facebook or Google in the
> loop. They absolutely do not want an auth system that has their biggest
> competitive threats seeing who visits them.
>

In that case there will be interest and this might be worth doing.

-Ekr

v2.40.4 | Report a Bug | By Email | System Status