IETF Logo Mail Archive

Re: [TLS] Merkle Tree Certificates

Bas Westerbaan <bas@cloudflare.com> Wed, 22 March 2023 12:54 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D57CAC13AE23 for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 05:54:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuXXf9bjbs-W for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 05:54:35 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2899EC15DD5E for <tls@ietf.org>; Wed, 22 Mar 2023 05:54:34 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id p203so20795578ybb.13 for <tls@ietf.org>; Wed, 22 Mar 2023 05:54:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1679489673; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wugBQOmhgU7CCr/thEQuKot0fPPq/yZo0oxh3PhP6q4=; b=TFc0yq1H4FKp838T5j2TXivZvMzKymWrOawbqu+HW90DyLRSsoP4E1wjkzzk5xu14+ pD5jkXdId0SGAiPez6C4/Qw3k7NDWH176C994QkGF1FdXz5xCBG/LwgtQrZ0nnMFCl69 uQ2nTWYXnM0gKNMte11Fcv62TG5Deu00uhOaE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679489673; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wugBQOmhgU7CCr/thEQuKot0fPPq/yZo0oxh3PhP6q4=; b=3yzU+OCfyul//N7dzXn2oIX6kLReDC0wYGpDgSJQmhp/r8+aILtBbMNfeKt1sLQ+QS UUvFyy6bb+aMp6Um2T+KUkwTPUvGDPTgreQwLRANI0ty50xp8MVD/TTcsWA7H5QsWFfL aloGYFl1w9OJzGOqkBTWAAbBniXTFuxuwr/Matd3Uh1Hn6xUrF06V+3m7Tei5g/IXH/G qLvWHGjFk5ChTKfmL97Pf9IYZYURnwPukcoLdlU6KfN67/fAqEE9NOLPayPOV5ihtEBs unG6Vm3Pfs14qhhonsDMt/CLoVsN9mbGW0HpVjSf6ufSHX30zVhUEJLk+C7Vabii7SIu vYmw==
X-Gm-Message-State: AAQBX9dStETUCnKjrwJV8hZpgFOppqS1O9ZPMUYBVw6YqWQpcqiWekEl IEgLYZB/hnOm6fWwu4IkUom9WkK/7czHtK+vlu5PYQ==
X-Google-Smtp-Source: AKy350Z58dFAbqe7/sM3bp4p4zlb1tv1Sd6sIjq+H5H06mtu+ZhR+s5L64lZvTLzBZn6T1ePnxh6GJqnBUjSVmFuuSo=
X-Received: by 2002:a25:890a:0:b0:9fe:1493:8b9 with SMTP id e10-20020a25890a000000b009fe149308b9mr3213654ybl.8.1679489673602; Wed, 22 Mar 2023 05:54:33 -0700 (PDT)
MIME-Version: 1.0
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com> <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com> <a24924a2cc2b4afba890660bdc2c220d@amazon.com> <CAF8qwaBe6o3ASer_wnztse_Wk7RwofkpzuPfVGdo7AGjN6T9aw@mail.gmail.com> <8f6ffb56-ed99-46b9-92c4-e07b75f7d85c@redhat.com> <CAF8qwaD4HnPvnuHDNeXLgMkuqkFnOfpwk4DsjDb-SBudumeiug@mail.gmail.com> <7cf62fb9-6aaa-47cd-b988-bdfcf8911d63@redhat.com>
In-Reply-To: <7cf62fb9-6aaa-47cd-b988-bdfcf8911d63@redhat.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 22 Mar 2023 13:54:22 +0100
Message-ID: <CAMjbhoXiw3K9D9t3ig4isRWkfVWHr1B9EOg91quf3Bbg8azopw@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>, Devon O'Brien <asymmetric@google.com>
Content-Type: multipart/alternative; boundary="000000000000665f1305f77ca983"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/a-KN33pndFnz4Pl4B4fwmRMXpIE>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 12:54:38 -0000

>
> Unpopular pages are much more likely to deploy a solution that doesn't
> require
> a parallel CA infrastructure and a cryptographer on staff.
>

CAs, TLS libraries, certbot, and browsers would need to make changes, but I
think we can deploy this without webservers or relying parties having to
make any changes if they're already using an ACME client except upgrading
their dependencies, which they would need to do anyway to get plain X.509
PQ certs.

v2.23.0 | Report a Bug | By Email