IETF Logo Mail Archive

[TLS] req mTLS at Cloudflare

Jonathan Hoyland <jonathan.hoyland@gmail.com> Thu, 15 May 2025 13:03 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 793A328DBBEB; Thu, 15 May 2025 06:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Id4uyLuQW_GN; Thu, 15 May 2025 06:03:04 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BCD2528DB647; Thu, 15 May 2025 06:01:14 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-5fca2805ca4so1481378a12.1; Thu, 15 May 2025 06:01:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747314073; x=1747918873; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=UpoxDnKVKPXLOvjF2iu6SZd4oG5wYpxPEojS8o712v8=; b=SWcKFtDb62GsxE60Wn7CuDR7p8jL5ADwP9slPPH1OwyEEMWw6uFKYvbIsjfDMgG7OI HRc+mT11KoFUytC2oqGy9dZWzoCzs6ahVhcRHpBPTD9Nz4Yvw5kuVkVRFQPhtDJo9ylD biN2biGWNnmN565uVlXqZxXQJ2+Z79TIwbEw0j+CZZ75ZcPT94GHE3+nI7NiugG2KQQ4 RBOFuxY4Nv4ylyyy9XZiplmhUO5l3CQRiC2h6UWfVkJNHOjSKImoamE2p52m9W4YCRXw qwoXkQOH0YvG7WFLh4/35DnzPU5qeP7Eppv9mAhEKAH4nIrz9DChBgTzrq7kaoqWCvDj puKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747314073; x=1747918873; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=UpoxDnKVKPXLOvjF2iu6SZd4oG5wYpxPEojS8o712v8=; b=l5qeBhn56KyLHoXZHauLO3Zb18C2R+otHVD2ezkAEHUfXoaw/kpxX5Zj69wrL/MNAU Z1uA0cSPo/mvFIQMboMnfovQpjRJhncPR51/zpgdi5I7J4671gsRPvxJzFhElJL4URTW fRizzIi0p8gJi1IQc2S9iZmYZoYjynkZoQ2Y8JfJA4YM1nOs38xh1EfcytnrouzG686/ 8ub59NMcnO+kKQAjhHvMjTLjC5EfwJdNZKXovO8HtXi5RV02MqzovrjYco8CV/bD1hMC rY17IsH2U+InZRL7XjFDSnbrNJC5pbjA0Ulg5sMYfLTwZmwGYRJqkCzuhAxiVG49llVD VRvQ==
X-Forwarded-Encrypted: i=1; AJvYcCWNdxmzJdgzfbPyvPXPXtEXjRpAg5SAmyrlajQnR5MahFhs04MwglxwbimAzn9KTXJDxEZYoHR7zN+Sz8E=@ietf.org
X-Gm-Message-State: AOJu0Yw0ix/X5uth5KwRPLxLsWPtA0NRgfSe1SZGBtJ3Fqkg19tX4lxv BzJvQmsVi7pk0qyZsTfLn15y3iSESIGjy4IKS/xLCM8L9YCXtMY1Qws/T9t2viPZ8ifqkUy9qwT P9voOnPoZSO4r6KaI0vdMYfL7HOde8mtB
X-Gm-Gg: ASbGncubmQjXJGSWbiFTh5dstRYkW8bMI5MRA9vI5wx6Z50LfjpEhaIBfHX86MsSQmj a32jQkq9WkZKXtAWb+lr12TFvLcdyqtMjFpQr465TzSqYAzSLAhvp4TiXHHuxgxnQXkTpsqPX8E E65BEqcLJ7V/N/4EbMGngqDSLh2AcAS9cG+AAXQTAWQm9Ixg==
X-Google-Smtp-Source: AGHT+IEMDb59oXbLGtKJCype/tmHsJGLJPWRKd+5NOxRirz7neZivo0ESAsWQSJ/Uiyz7YmpXVHkanuvC+ac6w+6kUQ=
X-Received: by 2002:a05:6402:84a:b0:5fc:8d86:cc0d with SMTP id 4fb4d7f45d1cf-5ff988e7c19mr5534015a12.34.1747314069295; Thu, 15 May 2025 06:01:09 -0700 (PDT)
MIME-Version: 1.0
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Thu, 15 May 2025 14:00:56 +0100
X-Gm-Features: AX0GCFsE2zq1S2TxR-8mLEm_lox8zH37U8brCuYxKPRcikPqaYV0YQ4UPXNTsmg
Message-ID: <CACykbs0RNANG1-mWs2M_acjNZDi+E6phuUTZjDTU4KnsxPTN-w@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>, web-bot-auth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000069583206352c429c"
Message-ID-Hash: JSAEKYEX7DEA4OXD5ZTMST2WVBBGJ5PS
X-Message-ID-Hash: JSAEKYEX7DEA4OXD5ZTMST2WVBBGJ5PS
X-MailFrom: jonathan.hoyland@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] req mTLS at Cloudflare
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZPzHRMWBqktKYO0zPHJ8lO95G8o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi TLSWG and WebBotAuth,


Cloudflare has just announced [1] some work on mixed traffic endpoints,
i.e. those that accept authenticated and unauthenticated traffic.

We’ve provided implementations and examples for req mTLS [2], as well as
other exploratory paths such as HTTP Message Sigs [3], to enable endpoints
to authenticate automated traffic without impacting eyeball traffic.

If you’re an implementer, we’d love to collaborate and discuss interop
testing.


Regards,


Jonathan


[1] https://blog.cloudflare.com/web-bot-auth

[2] https://www.ietf.org/archive/id/draft-jhoyla-req-mtls-flag-02.html

[3] https://www.rfc-editor.org/rfc/rfc9421

v2.43.4 | Report a Bug | By Email | System Status