[TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 03 April 2026 07:39 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 553B7D5F356E; Fri, 3 Apr 2026 00:39:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775201942; bh=P5+4kVZxw9kLgoLsZAeaFaC3MDB9Ep/Ki0aCqeogm2s=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=TfzXfbow/JyJMtcO7HH1FCluFK9BnZ48nxm4peT2jX4HWqCJmUS2/Rqy3fWMnE6sn VoUUeusiZOLE/ShmSNKm3Kr35xfE15HIo2um5bRVUG3bLGz2LH0TT7PLcx9sttSTBm jJ25xwgwtGlGmcpeDc8dtqAvL+9WEAx39qBzNYYM=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.auckland.ac.nz
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqckV1-_sZP0; Fri, 3 Apr 2026 00:39:00 -0700 (PDT)
Received: from SY2PR01CU004.outbound.protection.outlook.com (mail-australiaeastazon11021089.outbound.protection.outlook.com [40.107.39.89]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E3422D5F34F2; Fri, 3 Apr 2026 00:38:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KjWlVPdI0UeTh+yt/YcSiswJLN1/TW6DiKRunYszRPE0TAgpPHTo7OEjjUFaz9+CaMEQOUBG4HI6bUNYDEjL1Qf98sf7IEQSXJS+cr+0YIqMe+WecOVX1KB5Og2AoH+XwyK6zblV25dC6A8vb4+NrhrYffS5Msm58s50yzGVx8U5CoWumrKVmZ0sXEhtzskaPlMXUmo6cfI4t7Ja2sxkecdCkb8GN+HeI5td5uZHMiklqSBiXm/Lpfu1zkaTU05ExA1n2ZR4DR1kW0Sa5prOocExXHfR9rHVlRKwrG3zYc2pNPLOLDcupbYGZN99sAFx8ZG7LL6LgaerHFyd7RmM5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zYreyhNToZFimq37SnxKEV9ZikCdeHp1wQJfJFpFO1M=; b=tSTkfB897MFWPvl14mrq0h5yLhFFg64tziI/yVy3w3JbfR+mZ64XumhE4xWhGZzyeAPuEJClI9ZjoHhriRFMmfzb0n9E8TmQcTCHAxkFD3PalFJY/Ci3VYXjQdbQfcB0br/C0gGLpzMymie6GfiqMdiQiWnyoEjY1jJcKG9DMrIc/IH4nxJPP4Sekg4lJ0GEMibqUIDIExwdvpM60qIJAZBnzIP5WLJdPtonIUf72K8BKtbZJRS7Sc6MfBZPgkCQn8Xlf1Y0tC8OGKvBX/ydSRKBvU/P5Wq7VNBLLU3H2ZjyQE3ujNu5SMigghZJKGxR6Web3sgGsOoLBtI81o1EYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.auckland.ac.nz; dmarc=pass action=none header.from=cs.auckland.ac.nz; dkim=pass header.d=cs.auckland.ac.nz; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.auckland.ac.nz; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zYreyhNToZFimq37SnxKEV9ZikCdeHp1wQJfJFpFO1M=; b=sVyYKFCHFn5VYKvDkgBMiXwRPMj/OfZygRn6W+zB9GYP7xv1Qiu2Qfr7slZXgyKZuB7bo6EMA7G55liS/3OEbg9HL2T+nL9uOhPa5LW4tWB6rFUl0BFe3iBeaaKeIyi5H48wcH6KFXa6VIJv7jqH4K3e6ES6LElBHPd6BaA6DVdShu3B31cfvBotN/Q+41SXYjsXG631KKublGuebDiqqC4CzRy+qgGlAAL4bdnf0WRrJnEvLL/8UwJ6IcP/Zd35caX1Ngn/9yRw4HfVLgjlYlHWqwSGRzlG4AuJwD3LqgEjCw8YS/KToSGUwVMdx/W85IWpQ8+5WIwxoa6Mzi+nPA==
Received: from SYCPR01MB3661.ausprd01.prod.outlook.com (2603:10c6:10:3e::9) by SYBPR01MB5694.ausprd01.prod.outlook.com (2603:10c6:10:e3::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.21; Fri, 3 Apr 2026 07:38:21 +0000
Received: from SYCPR01MB3661.ausprd01.prod.outlook.com ([fe80::9fa5:dfb0:2db1:f08e]) by SYCPR01MB3661.ausprd01.prod.outlook.com ([fe80::9fa5:dfb0:2db1:f08e%5]) with mapi id 15.20.9769.017; Fri, 3 Apr 2026 07:38:21 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [lamps] Re: [EXTERNAL] [TLS] Re: Re: Re: Re: TLS Client Certificates; a survey
Thread-Index: AQHcwhJ73CMI4OIUvEa+JhJkELrY5bXLwgeFgABAFICAAO9zAA==
Date: Fri, 03 Apr 2026 07:38:21 +0000
Message-ID: <SYCPR01MB3661C72DB9D344C301B787F2EE5EA@SYCPR01MB3661.ausprd01.prod.outlook.com>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com> <acrfWoDSHUrYj1if@ubby> <CAKZgXHqKBwYqjB3SOexT1B3=P2m83esgQTV74PJtjk+LGwAhcA@mail.gmail.com> <CACf5n7-n6xj35ukPznkes8rDx9-QWi+CDntt2Z5jcM1L+uo1RQ@mail.gmail.com> <MEAPR01MB3654DAD44EEA7037763885D0EE50A@MEAPR01MB3654.ausprd01.prod.outlook.com> <LV0PR21MB66235C39FFCC9E350BC982DA8C50A@LV0PR21MB6623.namprd21.prod.outlook.com> <ac15yB5aylmUnjc6@ubby> <MEAPR01MB3654D313ADD0D83693FB21BCEE51A@MEAPR01MB3654.ausprd01.prod.outlook.com> <ac6iN4Z6UaUsARHt@ubby>
In-Reply-To: <ac6iN4Z6UaUsARHt@ubby>
Accept-Language: en-NZ, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.auckland.ac.nz;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SYCPR01MB3661:EE_|SYBPR01MB5694:EE_
x-ms-office365-filtering-correlation-id: 654c781b-8abe-4a8f-adfd-08de9153fb07
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|376014|786006|366016|1800799024|38070700021|56012099003|18002099003|22082099003;
x-microsoft-antispam-message-info: aoVCT1YLpLtXXaIoNeGYzkmHEsrDGGOr/K56ZmqZM2TpF0kouhJDzew0UvrsLVtVVxwsFu9SJLRpN7uJHvcsuy4lJ8VWCTZwuzHfZuwLNnH6FwrfcwsucI7D+cTthSKefqTTn/287k6NA8YvMishYyKzpuO/S7gUMUZyhsQI4MBMnhJQZ63LqqZ/hXYwhk7lsbGuLML7WnBwoMh4PD0RDUqKl77aX4aNamkEqZ4diso3ENY/SJIRT1AO4JtbHPCkMoufShA8fHNPBzLHwTy84eeqQGB6GCUsEoD+7ctrRkOctpwpivjnURzJtpHSKpHbkgeZ13jagDS8Ut3kUNBhWoHR29qu4ojlAGgC/7p3BOZIjNgNAOLodlUMhXLBKpK2lyq77IuMujYc9YTQHCZviQvHv8S5XJpGi7897vkav0E6SsUO1zCWsKgK+Em+HNbEhWVp7Tiir8/CoiDjoUUiAGeU5czYBGzllf4yslKg5pR/JMGW7Llw10pZIQFx2Gc0Q9rzkVb6R/1XbVchSFJerT5DEYD5OrX5P7Wo/ECWU0pSROxZGJwGHnPcwdQpQJedobe+E+jk3zkhgi2TVPZ7zJqo2rRLN72WIq9tfQz1h8RZ/EppgZVaGXxCtHsBDLTHtc63NXb2gNxwREn4U3ccrmkBqhfMz39SuN+k2NVNzQevWAi9cFev5AZ8C8iVXeez58PYReeICDyCKHkswjHwEi+H3rbjrltfMYhGYS4v9aUujVuRek1IBW/NhPmekvkB
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SYCPR01MB3661.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(376014)(786006)(366016)(1800799024)(38070700021)(56012099003)(18002099003)(22082099003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: HPDqst2mmu4lf3Vi0N0MbqwvN3c4z//W9xgJZa8cUxZCskRO14HooWlDJ2dCzkgDtYYEhGdehBHOx34OJlFr0xbL91eqZ3M2yQZMXpKPa38XmcB8pFVtPM1jrjM1rFkfXjBXhHIpm5I0kfWxb7rzeDkl1q44RyN+kh6NH7asITyndesGpMD7eSY+ToOfnseBOXsw5ZwGSywQI6s8GBk2iTuzANLX3RFazaOSkeoMefS8HoMO104BSb8K8kHIFETDf2Etty6FlOqH8Pc3rtk138OWDZE3bELwJPRMRjZnxuKOuDZ1qF4mQUi5USczKNCkHTEWOpI+sX12uvIXC4s7EmTQcSSVOxV00muTtTF1WiEqndodYRvqJpeCvYzta9EHmMC6UjgWTEChkY8+iqbGcsMDpR+w58XG4T8Z7UkOLpITIzTSJXnQu8sHNu0Fc3iw6+3hodg5pfubfPyqkDxKJCQXcIfKYS673wIrWuCbV7wLt9C+/1Dr0nS8fVvBCnSl/+UBn7kjfP2qCObJvXZF9s4PsE1gVNhfDyZMF58hcmURzptxQNNRl9CP9juNmPLPhTZdujfAqZV2Z1N8iQYTA4rL6w70zM+GKjzJXjVhMk71SdKwGwRgEmiSit68BAJb6jCa26bUSoIWELJeyGqbj1DZ+n0erSJMBo53KGZnFcjkkLALfpO+Oq91I91OlEcVfDAbXCqFfQ1ht7ywdIK+FCpCxqhL86xqPmtR818tnV64Do5AwpasL0HNAce0bpoG3YTx6Jak3TuBa0P3QvE2r66Y6bPWEqxltbv/UwRCIRCTVGIV6zVdfh8ROpYNEJR1Lzyj2I5Wxwq24SDiC2LmM26w6EHhoUnqlPvVgVToJjQH1OpzI2gi7Bqd7l99QovHnnWRG0wngLEw4wz6Wsikx+bLPcEJzu+0TuDrQ9toF5Rlp2gBieSGL5XCBxr2AR/VmOgX8nfkswPMJ9vzo1BOTOI7cVS5VeMp38RLCqvA6vx91z6Cjlv87iTorGrxV/32nbwodtdzsODcOgW0B26ytYlrOkrRBTRQM2WC1RzWp1v59SoEkYUmQv6/DZra2lTOL9T6i4aBEVoMD9mpx83FRkOKmbB+1aejKlC+yeFy03ZELdl16wwZuQR9xu7deuq44J7QhiM9aUtTfiLO4E/3E0hjdEcU+lPWsGxndgDmCHO2xnfdikX7Fnj4jYFr+ptoQZxU4SyIJQiw+cYnQK0Z6qiZi711tZ60igJOcRHlDPS0hFn6fYpQIIlC67Wo4V6DaC7GXdC29ODmbdlc/nYQ42t67ABjMJCCof8S/U0LCiSHthOHkUpjZRaIDZ8fpXofdtsPuKCtTSgbnUv4s7pcp3lF4NvXWpgq9DZr+kD9iAW9eLrvE8cE5lxQg0qi6yEZmcrHwaZAyNowPM0RZ+aIF1Os+jlSL9hehGwpg9zjnbcZGXm2OwI4B8jXbiwOU9C2ijPEcRltprM3JJ7h4mJI9rnLNkgyJB9rU8UoYLjrkZr67cXYz1XFc8wBgXdHWlxxZUXu0JHPHIn8G4ih4CVwK7F/FcOI8J1NQKa2/OUxsGEtwI1PHLJVM6X5JV6wYv6p53VvlUEzFnF9FTiYObS+JPirJ/TJC4JpaGYFHdsgS3HLDaj5/+Lf1WEYpJUN9/Jf1Mo0B8gii8bOH5WjrxCFlp9TfLkHp+4zPJfm87FRLcHEpdFFGgjvWdE4tfX9Zg2VAsgI2jC+FPn5vdMxiglAQUvpLvYKJ3+sLvb887TlfSi0ZVf5x6RF0t+wq+qHRP0iF8L5uuvS
x-ms-exchange-antispam-messagedata-1: Nh3vWwjVG1mxrw==
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYCPR01MB3661.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 654c781b-8abe-4a8f-adfd-08de9153fb07
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2026 07:38:21.2756 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fRp8xC/Es2wHPTIwjssGalKIPQkQ5GLahkPPwqBnOHDrzsPcOrJKzLLQacWGNxmv/yHd6JMU8XQMrCoH1Z46Kk2vSnYwOtEhBKJn1UXyZxg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB5694
Message-ID-Hash: VW5NOXPOJRW6TGZZDBS7UGXGE5TEJVBE
X-Message-ID-Hash: VW5NOXPOJRW6TGZZDBS7UGXGE5TEJVBE
X-MailFrom: pgut001@cs.auckland.ac.nz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrei Popov <Andrei.Popov@microsoft.com>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aobMOhSPj8QvhyrHj80MdClqYTQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Nico Williams <nico@cryptonector.com> writes:

>Recall that we're talking about constraining client certificate use here to
>just dNSName SAN certificates.  Since KB5014754 at least the mapping of those
>to machine accounts from Active Directory should not be trivial to spoof by
>WebPKI CAs anymore.

I'm not sure whether proposing AD (or some other equivalent, if there is one)
as a means of managing certificate access control is going to help or if it'll
just make things worse.  There was an OWASP talk a year or two back by someone
who worked for a large pen-testing company who pointed out that, apart from
"nobody ever got hacked by running TLS 1.0", and later on "nobody gets
breached because they didn't score an A with SSL Labs", that all the
exploitable vulns they found were from certificate issues or
misconfigurations, typically in AD CS (Active Directory Cert Services).  The
talk was mostly just an hour-long smorgasbord of all the ways things can go
wrong, starting with the ESC1 to ESC8 catalogue and going from there to all
the very-common misconfigurations they'd found, a mixture of both the way that
AD CS does things (sometimes bugs, sometimes unexpected quirks) and how easy
it is to shoot yourself in the foot with it.  It's such a big problem that the
Five Eyes agencies have official guidance on how to (try to) set it up, e.g.
https://www.cyber.gov.au/business-government/detecting-responding-to-threats/detecting-and-mitigating-active-directory-compromises
(scroll down to "Active Directory Certificate Services (AD CS) compromise"
although it's not compromising AD CS itself but just exploiting the way it
works, and it looks like the guidance only covers the ESC1 stuff, there's a
lot more there than that).

Absolutely not trying to bash AD CS here, it's just the most widely-used means
of managing cert-based access control by far and because of this it's a great
real-world example of all the ways that things will go wrong.

Peter.