[TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey

Nico Williams <nico@cryptonector.com> Fri, 03 April 2026 16:05 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7C67BD6207F4; Fri, 3 Apr 2026 09:05:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775232322; bh=b3fkl9hGVahPDKfJtvSl5sEsXr139qCRbVGiaxJKnS0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=i5ywhsp82I4cE8nc87s/SUCCvJUujblfjIeYh8RwjnxbdxoShHh6lPkpsHirenfYa UklSEsHKUzo9c3F3alM+1SxiRkobXeHJ0wJwY95n9e/LizOu06x2t5Mtzgs2gSHGK5 vu3eWlhq+9378OeO2nZRIjnsH1hfWTncMt3538zc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cu-b6ogTy3U5; Fri, 3 Apr 2026 09:05:22 -0700 (PDT)
Received: from golden.elm.relay.mailchannels.net (golden.elm.relay.mailchannels.net [23.83.212.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D66D2D6207EF; Fri, 3 Apr 2026 09:05:21 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id BB6FF640DBA; Fri, 03 Apr 2026 16:05:14 +0000 (UTC)
Received: from pdx1-sub0-mail-a243.dreamhost.com (trex-green-3.trex.outbound.svc.cluster.local [100.96.47.178]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 4091F6422C2; Fri, 03 Apr 2026 16:05:14 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1775232314; b=fI4sNZCEzWyRANSn+45YCKXlxPbr4BZVR3YV+SGZlYtw/3U1EaQXMuTPHG/LCMNTtgxC0+ W9/2f+bQVhIbXvqs9xPiQIztMKr+T3fBkjq5b3NjZi9jLPjH1/tqRKBidgFn657MiWJUsG pexSqawwEA31zRAlQfxMmgqT3HrNFpRg1Ifc0El19Kt89TcTx2z7VoIkjldkdvhQhrI3LL 8ZZkZ7xtT+BciqsvHm3BBVDuuhr3YpTChtB/ymnrEaV24WaGTb/u6ukgN6PshALZY3Gc9r Kitfn8POE0C943GSydSk3Okgg2xWNYYH5KQ1fksEXl3A87UNMVUpDJy4SEPJXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1775232314; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=l/Rsk+8frJ1IYE5JLq6kWeH1//rFUTa7zAJIkb7HIi0=; b=O+tsfWW55RHaIoM1RVhdL0rqnoorkelFdzAt+IDkXgHTO/GVqMnZnmARaWsFVsjBCEuSmi RkOGpbnlPDwQ7QjnpPTV/65QJbN8GsqhrFopQRh9Aj80OB0qsTIQiDyzsflP+/zdgJni20 nDMANgh6jgLwYQQwYgTV2H4C76mgFvPb4qJLkUHbk+42pxbl2SSMhZRvnTHe8ZuXanh5ab O09PgoehiQSuS9d3LqxbSzvACmtPsKoVaQt2NKhaTO1wAyyi74kRuOFRN31tFkC08sx0bh nOvanvW8S7P931taxdAngIZocKIRieFz7dWhVEk+/eW14iU1aw+f+c7UK6EJFw==
ARC-Authentication-Results: i=1; rspamd-bd48b9d95-9csrn; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Good
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Spill-Ruddy: 0ac1cb772c2ea31a_1775232314550_920888291
X-MC-Loop-Signature: 1775232314550:3442037102
X-MC-Ingress-Time: 1775232314549
Received: from pdx1-sub0-mail-a243.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.96.47.178 (trex/7.1.5); Fri, 03 Apr 2026 16:05:14 +0000
Received: from ubby (unknown [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a243.dreamhost.com (Postfix) with ESMTPSA id 4fnNps0V5gz1073; Fri, 3 Apr 2026 09:05:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1775232309; bh=l/Rsk+8frJ1IYE5JLq6kWeH1//rFUTa7zAJIkb7HIi0=; h=Date:From:To:Cc:Subject:Content-Type; b=iotNw/6RsKHEWeMdBqVctwIx5q0kJ7qfXcmN7tWo3nWEz1LD9HMlK/tYkD0a4cWnE 6Amat0D142loUqDz5bdGD3DAyPnwAbyFpUuFdf6quE9+zAFkgYBOLQWXln3jYlhKz2 uDRmLavPtEhyMZsCWSFoQH6sjZ+i0ylIOBia1PQllmyGNKcmL+2rwes/MhUbkWaF8P +Z06EXFUgO1hwgIAOs0wG7wQVfDk0jAmEZ6vta9qjlgPMHmarbVENH9pFDKWdE0UpD XBUk3W7WmQIxZs+FGBS2yqNR548JUKbBGweOGFxKXBVy60lS+6OBSePwr/z4ob7FqM xsxYs4LEwBS1Q==
Date: Fri, 03 Apr 2026 11:05:06 -0500
From: Nico Williams <nico@cryptonector.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <ac/lMpFJn/wYIfuH@ubby>
References: <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com> <acrfWoDSHUrYj1if@ubby> <CAKZgXHqKBwYqjB3SOexT1B3=P2m83esgQTV74PJtjk+LGwAhcA@mail.gmail.com> <CACf5n7-n6xj35ukPznkes8rDx9-QWi+CDntt2Z5jcM1L+uo1RQ@mail.gmail.com> <MEAPR01MB3654DAD44EEA7037763885D0EE50A@MEAPR01MB3654.ausprd01.prod.outlook.com> <LV0PR21MB66235C39FFCC9E350BC982DA8C50A@LV0PR21MB6623.namprd21.prod.outlook.com> <ac15yB5aylmUnjc6@ubby> <MEAPR01MB3654D313ADD0D83693FB21BCEE51A@MEAPR01MB3654.ausprd01.prod.outlook.com> <ac6iN4Z6UaUsARHt@ubby> <SYCPR01MB3661C72DB9D344C301B787F2EE5EA@SYCPR01MB3661.ausprd01.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <SYCPR01MB3661C72DB9D344C301B787F2EE5EA@SYCPR01MB3661.ausprd01.prod.outlook.com>
Message-ID-Hash: VMSBFHSLSVZECT2YKG52ELWCE4GG4F32
X-Message-ID-Hash: VMSBFHSLSVZECT2YKG52ELWCE4GG4F32
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrei Popov <Andrei.Popov@microsoft.com>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dz6O3VQVa1ohbE2ebxr025qpng4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Fri, Apr 03, 2026 at 07:38:21AM +0000, Peter Gutmann wrote:
> Nico Williams <nico@cryptonector.com> writes:
> >Recall that we're talking about constraining client certificate use here to
> >just dNSName SAN certificates.  Since KB5014754 at least the mapping of those
> >to machine accounts from Active Directory should not be trivial to spoof by
> >WebPKI CAs anymore.
> 
> I'm not sure whether proposing AD (or some other equivalent, if there is one)
> as a means of managing certificate access control is going to help or if it'll
> just make things worse.  [...]

I was not proposing any such thing.  I was talking about how client
certs might get mapped to powerful accounts on Windows given that's what
had been mentioned earlier.

Nico
--