IETF Logo Mail Archive

[TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Mon, 26 January 2026 20:43 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 76D11AD64A86 for <tls@mail2.ietf.org>; Mon, 26 Jan 2026 12:43:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xIm2TClgSqfA for <tls@mail2.ietf.org>; Mon, 26 Jan 2026 12:43:40 -0800 (PST)
Received: from mail-yx1-xb12b.google.com (mail-yx1-xb12b.google.com [IPv6:2607:f8b0:4864:20::b12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D8AD5AD64A60 for <tls@ietf.org>; Mon, 26 Jan 2026 12:43:40 -0800 (PST)
Received: by mail-yx1-xb12b.google.com with SMTP id 956f58d0204a3-649655f14d7so2589041d50.1 for <tls@ietf.org>; Mon, 26 Jan 2026 12:43:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769460220; cv=none; d=google.com; s=arc-20240605; b=biWw/8bsTdc2zk0dppW+MxcgLHrPwC8WSnqMMddTz3xh6Vw+kbbFVlxj1UH7Ans1ah NIUB8fwB2c9cModLPzwLY5LF/ap42N3h8C4+49u2KeiFPZlvCCrmjmmU0yEZUg+Sc5k9 eEnTGrOc+k8QDp7AeOIwrQn90nHaxscUV0aNdN3b1kxR4NHoaS8SshWcFQ3C69ODu9Vg 4HjoVlV34PBkjG90y83KendlCzd3ka6XVc78f7wjmSmZkChV9d8HTYEnzHaRFXB6q57a BSmdBveTlL6FY9+OvTsYvMNta4Yd8/31XMcDnY/VbVjS46j3BgRhvo4B5rv3/4kWdTyf kM7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ody7I+ozgJkeL9bJUVW4ASKWMhNsKggIB02ubFO8j/s=; fh=b2oRnKnfBThFgnRQ9I6mG6xmcxxUq9FVc1+qmrFmQlw=; b=WzDDc5ZxIbi/atCwPARRS4Afsn0UGhA4/2rgEaWwyApdU1b4hZM9opD6WAR4QQmaD4 ijWhg7G8kzh4rU07W0w1CdPUwYbG77OBOPeMTY5OAL4HtELe/gf3QIkS/dAUnqTP2WaD tdT4YTmhvB7dlH7C8BGoQm7xYN8Z/QRmNmPsBJJZhoj9+tZo6cDhBYT64EBROQ0FQyL+ byPOygmfLNHNFz2g/rWGX+2am39BMWzNiAgNygcN+8ySX0heUvrNPtOnOaAsp+q5jgpb 8hrycG5xBVN6DKTp4qpqD4CbbXRFmOI1ETO5QRRyNv7JbgT4iqRfwgC1zVDxbuUkL5BF S02w==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1769460220; x=1770065020; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ody7I+ozgJkeL9bJUVW4ASKWMhNsKggIB02ubFO8j/s=; b=mCAPGVEkb6ixxqhCj+FHaW2JwO+RvrNrBgjEStzdTlxKVRzpO9H3JIcXDTl4DB9E6c Jqku+rucdRelAdkWUHarF2qDDii5jZk8pq/5Ir/pRGTNyB28M1rnxTSGUbtXoIoGSTsy uANej7QYj49rAdhQWTWpaz0nrxC1M99qnTFcoUVt300nP4I2A2taY/zBAIMD2Ial09XP t5JwXNkKLVN7+YM1gGZr2702EcBE3eXKO19lNUTCCHT3Qz3gnFVTEGamTupwxrmGaq3s MnfWYME1wt9GQkWUFSl3Sti2r9qUNm3kLD/oNxqKSLoPznTOUE8w1it7JoRWoSY9BRsg C/rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769460220; x=1770065020; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ody7I+ozgJkeL9bJUVW4ASKWMhNsKggIB02ubFO8j/s=; b=BtLsS2URTPX9VbxHEbn+Z4b81kIOVV94UqOgankQgB7C201z7lpTPfGIVnt8W5qlvU cz2LvDvDPgBX8bAJ2amKIonUW9Vpw7h0nK+X3IgQx8/Ye3iz8BI29+WRiCpguZhZjzIG ouF7N8RIvT/CW8WowSU7wkaBjBCUT5aVSALlZeYazUcrBj0bdDnt+uBrIlq9dr9ihWxc 5EFaaYK5xr38pWVM/144s4ts0x0+ax92f1kC/GEg9PP2WUgSPjGqbdM99aw0D8f0MjET Q0x4CnaMVfs4vrw7IfNPmLbNfK5cQpQE9vm79cTuE6M4TZ9YT0clZFhiANzpcxZ/0lu2 2vDg==
X-Forwarded-Encrypted: i=1; AJvYcCWQJzE5Hsciil6OKhX8Swb74vXualsHk/jSfcVSjmOgEmAku4cs6AkKWVP9PxBlsc25p5U=@ietf.org
X-Gm-Message-State: AOJu0YxHalit+3+yVRMIQAhBYEnRY95QNEKC4wX/oZFHJD2wzup4yI0X auwIaO+LhrrV7uxVlYdzXnmPzJiEUGTpYai4uMAMlxtmY+CSrX8/eb71MczXB5ZFb1PbxdIR1nX R2juY2GlsEeNoi3eF4UX6dC76Q/roXiZwJ8a1xKnJvQ==
X-Gm-Gg: AZuq6aLgKJHSvpsrNWTIYatmqNeUX6QkRsmezDtvi3nHUPkYJhS3Yyb7vap4RJpdCsH fVVj+8b/BZHXhJVLQHdWIJtOb6ziOKMwVa4Si+qfvSUtQThM+lWAMgeqiJ5ASTUypDbdrTThcIp yXIorV1Eo5YfVTLPfI3ou/Kjz/PA8O+WMw/ixXF2qrNG31ej0+RnoxVCnUoiMP5KR8xMRktq/N4 W3w9UBl37OZWHC2I3rYjSD08ePv/ABq/b9vJYnYMrpiRa9skHLJdvTgcl9duU/U/FbKMtP6z+zw eqN0IQSGFxwur3yoTfbOnJGMsTR6JInU4y22Q+1qg5z2Wht0se+gN2E/Ke7rbUxRwf8ri7ArP6S oz4llFbZsvA==
X-Received: by 2002:a05:690e:128b:b0:648:f65d:49a7 with SMTP id 956f58d0204a3-64970d3396cmr3827543d50.80.1769460220298; Mon, 26 Jan 2026 12:43:40 -0800 (PST)
MIME-Version: 1.0
References: <176529902699.1146491.1360588667931244217@dt-datatracker-5bd94c585b-wk4l4> <CABcZeBOCNZf-mYJ2DM1YTnUAYpvtyc5Ba2qQ6aOmsYhS1y5fvA@mail.gmail.com> <CAHPuVdV4TvP4kHsEC=7K5QNFZUktYCRU44LqJr33fzB5Md+Q1Q@mail.gmail.com> <MN2PR17MB4031E3807DE7137A169C2E24CD93A@MN2PR17MB4031.namprd17.prod.outlook.com> <CAHPuVdWssWuFsZNjKHOXc=sRyEDwAzpbtaUkZuTMvZW0=BXGJA@mail.gmail.com> <CABcZeBMcShiaC-Rrd8zdH=xa4OU2dtKtAVVfZF496t=2qJS-fw@mail.gmail.com> <CAGL5yWY3xqxaxgkNg6sYH_GSSha9tVCbcam59OiEnm=7JAyTMw@mail.gmail.com> <CABcZeBPjGrhE_QD2z7=aEMhE=yZbM_uh1aLpV8g2cg_TxbEoBg@mail.gmail.com> <CAGL5yWZ1uCtkQfSpa4O=fiy70XaVdNgQPCPx1Dr4hatC8cc1hw@mail.gmail.com> <CABcZeBO3NOWrSauv06f1vFU7wa_iLNEZXWnF_6F0aVzf_8rrng@mail.gmail.com> <ec558fe6-1002-4ae1-8dec-b40c01da90e4@tu-dresden.de> <CABcZeBOzJjTUwDWYK0xq3Wm+VFDH5TZddbqwVHh=qCgm+jR3Bg@mail.gmail.com> <2b56bc0a-e15f-4d2d-b3f7-785de6146d3a@tu-dresden.de>
In-Reply-To: <2b56bc0a-e15f-4d2d-b3f7-785de6146d3a@tu-dresden.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 26 Jan 2026 12:43:04 -0800
X-Gm-Features: AZwV_Qj9baaRztu9GlUkfK9hb7xQIgESTCZpGrjjuWtIlU_XW-HnMpS00SZK-LA
Message-ID: <CABcZeBNwA_+VSeER6_ju5J2khix1KBuyjZwXe9eh0SpeCr41gQ@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Content-Type: multipart/alternative; boundary="000000000000e01edf0649508f62"
Message-ID-Hash: NJHQYVGD5ESPQY2JTGBMM6MEIHVCNLH4
X-Message-ID-Hash: NJHQYVGD5ESPQY2JTGBMM6MEIHVCNLH4
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "last-call@ietf.org" <last-call@ietf.org>, "dance-chairs@ietf.org" <dance-chairs@ietf.org>, "dance@ietf.org" <dance@ietf.org>, "draft-ietf-dance-client-auth@ietf.org" <draft-ietf-dance-client-auth@ietf.org>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, TLS WG <tls@ietf.org>, Paul Wouters <paul.wouters@aiven.io>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Last Call: <draft-ietf-dance-client-auth-09.txt> (TLS Client Authentication via DANE TLSA records) to Proposed Standard
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gV4Pu0CVhhsIvmbBaVXZZ6aGhoI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Jan 26, 2026 at 12:18 PM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> On 26.01.26 21:07, Eric Rescorla wrote:
> I am also lost why this was mentioned as a charter discussion. In my
> reading of DANCE charter [0], your proposal is not at all prohibited. In
> fact, coordination with TLS WG was supposed to happen. In particular,
> charter says:
>
>     > DANCE will define how DNS DANE records will represent client
> identities for TLS connections.
>
>     > DANCE will coordinate with the TLS working group to define any TLS
> protocol updates required to support client authentication using DANE.
>

It is indeed unfortunate that this latter item did not happen.

-Ekr

v2.37.1 | Report a Bug | By Email | System Status