[TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120

Dennis Jackson <ietf@dennis-jackson.uk> Mon, 29 July 2024 14:12 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50E13C14F6BA for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 07:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Qe0gU7dDvoM for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 07:12:43 -0700 (PDT)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89BCC14F5EA for <tls@ietf.org>; Mon, 29 Jul 2024 07:12:42 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4WWl2r34cpz9tcR for <tls@ietf.org>; Sun, 28 Jul 2024 03:56:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1722131780; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eRNE5Mv0q1ZpdVDjpOwU2y7iafrmaA3rBBevQgyBG/k=; b=0i8D9ZHs08uHKcJMNhzvNfwlUecVDUYbZSlWuVFlCt4DZnMq9qKSAMj7CUgQwsCyzamAso KSJnJBuwNqq/4v56CQ3alRBl2pTFP11uv4bqHYjMpVXMa45bNl/D6jdk3/Mzf/+575614t LaHHngTNs77ABt7/yaRcNfR+JZ3w81FDOJdc4QMYN1R2U9zyA6CaxQFC4jLvxB92RMbrGY 4Pj3AYi/4iP+QLlrk11SHn4xrpb+Ert0GaTsDQCRl1zmFM/kmfnMuxapaVRyKZWOuc7dmp JVJsSWSeufCVJbVZhHUo0uJyLNFBoPocfU2FTsRwBtbHtiUHF//myFHcipYVAw==
Message-ID: <37483eb9-baed-468e-94d0-bf5054f878e1@dennis-jackson.uk>
MIME-Version: 1.0
To: tls@ietf.org
References: <d1589f89-35cb-489f-b195-30feb3e7e40f@dennis-jackson.uk> <SN7PR14MB6492663C2AE4A15639D62F5583AA2@SN7PR14MB6492.namprd14.prod.outlook.com> <e7aee41a-0df4-4048-8692-6805d06cfadd@dennis-jackson.uk> <CAEEbLAa5bZ3zQX=A74THsxtgkryF4sCVCt1P+BTdDi9faraciw@mail.gmail.com>
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <CAEEbLAa5bZ3zQX=A74THsxtgkryF4sCVCt1P+BTdDi9faraciw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4WWl2r34cpz9tcR
Message-ID-Hash: 5OFENTTEL6GVCJIZE5QO6LUGU2JI3G6R
X-Message-ID-Hash: 5OFENTTEL6GVCJIZE5QO6LUGU2JI3G6R
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iV3Ncek0XeJZzT2LAQH8Sh6xXeE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Date: Mon, 29 Jul 2024 14:12:47 -0000
X-Original-Date: Sat, 27 Jul 2024 18:56:17 -0700

On 26/07/2024 15:24, Sophie Schmieg wrote:

> I don't think trust anchor negotiation needs a lot more discussion, 
> over what has happened already. All in all, I think it's a good 
> mechanism that is fairly well defined and it's not clear to me how it 
> would benefit from an interim.

The Trust Anchor Identifiers draft was first published only 4 weeks ago, 
received less than 10 minutes of discussion in the meeting and has a lot 
of unaddressed issues.

I feel that if the authors had chosen to focus their presentation on 
their new draft, rather than splitting their time slot with Trust 
Expressions, there would have been much more time for discussion at the 
end of the meeting.

As I noted, many participants in the meeting expressed a preference for 
an interim so I would be surprised if there was support for adoption. 
Especially as the concerns I want to present are fundamental to the 
design rather than about issues which could be addressed later.

However, I'm sure the chairs will gauge how close we are to a rough 
consensus on adoption based on their own conversations with the other WG 
participants.

> PQ TLS on the other hand has a lot of open questions about things like 
> different variants of Merkle Tree Certificates that I would love to 
> flesh out further. If we want an interim, we should focus on that 
> question, and leave trust anchors out of the discussion, in my 
> opinion, moving them towards adoption instead of drawing out the 
> process even longer.

I agree the scope of PQ TLS is much wider and will also need some 
substantial time to discuss. I think the first job will be figuring out 
problems we're trying to solve and our requirements, but I'm excited to 
talk about the different variants of MTC as well.

Best,
Dennis