[TLS] Re: [lamps] Re: TLS Client Certificates; a survey
John Levine <johnl@ietf.email> Wed, 25 March 2026 16:53 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AE720D151559 for <tls@mail2.ietf.org>; Wed, 25 Mar 2026 09:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_FMBLA_NEWDOM14=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="rpKI+EOS"; dkim=pass (2048-bit key) header.d=ietf.email header.b="VCz9WC5j"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MioM3TJy03hy for <tls@mail2.ietf.org>; Wed, 25 Mar 2026 09:53:50 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6132AD15153C for <tls@ietf.org>; Wed, 25 Mar 2026 09:53:50 -0700 (PDT)
Received: (qmail 133 invoked from network); 25 Mar 2026 16:53:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=8169c41319.k2603; t=1774457615; x=1774803215; bh=8mbtZid7Xu1M1pIrbuqdf3ywc/m/wbDIGP4isJp29p0=; b=rpKI+EOSEI52VxRNdp9poS+ZQChLI5gkskceRVdG20TrLH7DVOsbU1e1NA8EEJl3xFISGJkOTUVbnSloy8KHyRtvwuUgDkxkBQLmroLkSyKlqBIKQHcJ93XKcHBHCoM5vuH738K8XoBZ3nrAD/qsEvuXlm9tX2YilbW3aOfSWcQ91GaKXtd0YLtpzOyjCAtvv6Ajqf4EPBNh4C1NoYHSTVwkOy17F9deQKwJwbd1Rmz1pxw046EVjuSFiXTSmJnAh1muC89jnriYYGrvzWo/tbToFLhpVWMRbnHYQ44ksoekNSH0lkp6tuwdntBOaAwrMyjgUYpGlkEfa4GTTZ9mLw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=ietf.email; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=8169c41319.k2603; bh=8mbtZid7Xu1M1pIrbuqdf3ywc/m/wbDIGP4isJp29p0=; b=VCz9WC5jfpx7VkVNL2H5i6PsCr2bNTPaKjxjJ2wH6UV64a1KdXBGUfELGrVPsGPd064wFZ0qGUjBuC2ViEGqisM7GRyzaAyYoat08+pHFZc5YBVBtKbUbuPB1PJAzmiZuG2X2EbeyvOriEhRaPobcCrZsbGIqrDr9Mo0A1Qxv0goH12zl23XbY/M5bJzEDqN1YrKPe2SCvb8Bm/PgGrrw4r2jQX5l8ROex1rfL14Ei+6674y2qEX+88iahp7dg4huXbozTtJqJasKau8rUqWSzjvJ1861MIIBaIzWOniLt8RlYrs/B+0pgqJTvvDC7j1/WSmxqJPqQMWbjG/o+E5IA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 25 Mar 2026 16:53:44 -0000
Received: by ary.qy (Postfix, from userid 501) id 497BAFE602A4; Wed, 25 Mar 2026 12:53:43 -0400 (EDT)
Date: Wed, 25 Mar 2026 12:53:43 -0400
Message-Id: <20260325165344.497BAFE602A4@ary.qy>
From: John Levine <johnl@ietf.email>
To: tls@ietf.org, spasm@ietf.org
In-Reply-To: <CAAFsWK3FfenuQ7M5UrFTX1aEwvX2aR=4ma=R2tSz3h4D9NU5YA@mail.gmail.com>
Organization: Taughannock Networks
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <4732.1774288835@obiwan.sandelman.ca> <acGB3/g8HMNNOP4J@ubby> <f6bfea57-f9b9-48df-9d9a-45978460e881@gmail.com> <CAAFsWK02e4Q5+VkB3wPOXkT1W_apLu8Sz-66fxcAKwsco0rfEg@mail.gmail.com> <acNGIxTvpV3Dog0f@chardros.imrryr.org> <CAAFsWK3FfenuQ7M5UrFTX1aEwvX2aR=4ma=R2tSz3h4D9NU5YA@mail.gmail.com>
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Message-ID-Hash: BVOOBLJRUDVZ7FTD3LHYAMELN4UJYODK
X-Message-ID-Hash: BVOOBLJRUDVZ7FTD3LHYAMELN4UJYODK
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: weihaw@google.com
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eZD2eRs5yvqS0e_9HLQDwvq-YoI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
It appears that Wei Chuang <weihaw@google.com> said: >> I am very surprised to hear that Gmail presents client credentials in >> the SMTP-OUT direction? Why is this done? > >We observed that for 38% of outbound messages, the server requests client >the certificates. I believe it, but I also agree with Viktor that's not a reason you should send them. My semi-informed guess is that it's a combination of a poorly chosen default in some MTAs, and hosts that use client certs to log in for submission. It'd be interesting to hear if you can tell what MTA software is making the client requests. R's, John
- [TLS] TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey John Mattsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Michael Richardson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eliot Lear
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] [lamps] Re: TLS Client Certificates; a surv… Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Phillip Hallam-Baker
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: [lamps] TLS Client Certificates; a surv… John Kemp
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Peter Gutmann
- [TLS] Re: [EXT] [lamps] Re: TLS Client Certificat… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Wei Chuang
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Levine
- [TLS] Re: TLS Client Certificates; a survey ml+ietf-tls
- [TLS] Re: TLS Client Certificates; a survey Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … David Adrian
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Stephen Farrell
- [TLS] Re: [EXT] [lamps] Re: Re: Re: TLS Client Ce… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Peter Gutmann
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Jeffrey Walton
- [TLS] Re: [EXTERNAL] Re: [lamps] Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Russ Housley
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Mattsson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… David Adrian
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Eric Rescorla
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … David Adrian
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Andrei Popov
- [TLS] Re: [lamps] Re: Re: TLS Client Certificates… Alan DeKok
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Jeffrey Walton
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Mike Shaver
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Ilari Liusvaara
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Ilari Liusvaara
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … 刘鹏辉
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams