IETF Logo Mail Archive

[TLS] Re: Adoption Call for Trust Anchor IDs

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 24 January 2025 21:07 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFB8C151535 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2025 13:07:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOzV4EvHqRnX for <tls@ietfa.amsl.com>; Fri, 24 Jan 2025 13:07:49 -0800 (PST)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com (mail-vi1eur03on2131.outbound.protection.outlook.com [40.107.103.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8BFC15109A for <tls@ietf.org>; Fri, 24 Jan 2025 13:07:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=uUF313PE1Ri2VtFP4HEjzl0PXowproldY/UcyCi1AANOGA6iGUrY5aBjlrFC+ycjuem56H/KsAfJq7LQtnPEJL+M2ApjMSgoKEtjRGhDFmvEyLhn8qsAKWck0wKnXIh+hSx2QX5DF/S8aIInOXMwuFys1W22A5ihf9ceSoighaQ4oB9X8kbn5uMrZzQTvU0dVYkNSNidDDl55bhAwKXLD8spUmc+h3lPoZ4so3j4vm7e/G+m41xTkXDY3QPOgwDOtZhrblI8cOaFusKup2vP664VUtdlZeDhSiopzmZOdUnbc+COeX3rAObWBqV+9ceVK0cZZB8wsr9d/xVJbPODVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jRcwxrN0/vBhSq07LVD17nRmdyHjJSDxIU5Mr7C7tOU=; b=Rg+8XkZlyo4gozuI4T8YbNpYg73OLJKZTFF7B9Q/hPT575YdT+DFVNifWSTADviF0cSfz3quTXL1Z3i0QawgWvDhxkGmoWMCiFalq6N3ZgENtLGndd+GieEm4tawX6AXcrSZ2HmL4rxH/DA1JUGi1Le1cAZSwHiHY0EK+r5dgRtAREHEyH6bCQWtz5CJFt1k/kWrcDqsbJSZN+LwUUXna5PSBzm5mVtESWbA2gCr43jAK2aLgBbHn9kuOIEhhiHHjzafoL9ZvYffqz65hnmBK2b2DoWaB3kQAER7OnsgbgM2f/bzGhu+NVSMFP+ZkAQAiGzj8nDyhNe1N80fUvkWJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jRcwxrN0/vBhSq07LVD17nRmdyHjJSDxIU5Mr7C7tOU=; b=dAkY1JG2ljH9R8JM7Rn7MMz64IcnsfW2RqEfNkAdOHyNDXKKiE58uQZYbkheAdTNVE+O6bjqUUiMv97mxhP1nEBb1uQhndO9dCXsq+xav4xN4WaDyVK6x96ouqj5rBmQHfUtoyWjxDrsmbYUghrkcwWPBmtFPh0TffqfWfF3RGawgOnglQ8mI/ZtCF7UUuYEzVDnW1ZtWu43X8TlKZz2OgE4YZnGhO8WOc/tXQeTR7U/Jc1Uog8LyKXRP23qzRrTPokuFG7mYghMdEF4J+C60amQJNF2s/2s3nYWsvBcB1TIxZn/UDrp0swSCwFDlTJWBtNEzKrmrFBIwGnlo5/yCg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM7PR02MB5944.eurprd02.prod.outlook.com (2603:10a6:20b:10e::23) by AM7PR02MB5893.eurprd02.prod.outlook.com (2603:10a6:20b:dd::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8377.19; Fri, 24 Jan 2025 21:07:43 +0000
Received: from AM7PR02MB5944.eurprd02.prod.outlook.com ([fe80::567f:ad68:82d2:fd7c]) by AM7PR02MB5944.eurprd02.prod.outlook.com ([fe80::567f:ad68:82d2:fd7c%4]) with mapi id 15.20.8377.009; Fri, 24 Jan 2025 21:07:43 +0000
Message-ID: <cedacf21-a2ea-4c46-b41c-9f55355109ab@cs.tcd.ie>
Date: Fri, 24 Jan 2025 21:07:41 +0000
User-Agent: Mozilla Thunderbird
To: Joseph Salowey <joe@salowey.net>, tls@ietf.org
References: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------ygsShpuO0EULDHuN0SSLzP80"
X-ClientProxiedBy: LO4P265CA0265.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:37c::17) To AM7PR02MB5944.eurprd02.prod.outlook.com (2603:10a6:20b:10e::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM7PR02MB5944:EE_|AM7PR02MB5893:EE_
X-MS-Office365-Filtering-Correlation-Id: f0109b00-2e41-4c64-5a8b-08dd3cbb24c8
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|4022899009|1800799024|10070799003;
X-Microsoft-Antispam-Message-Info: ajRDgsZLZqDE+Xb0pYryoJUZ7m7nWog5+PyGJIm41mQBeE/pyUwtLfJ7m3+k1Q42MHS2qIzBVKnd5F/0ignq3scwgXmjQWG0nRueXHr+3ojbg2dxgNGfNSDjyHgte6Kq5zlfuVqltCyn9tnIlUU6Em6rqZ30ukWPg/UQpEQf96VtojgQURYTKgdU403nYWakjHRHmabz/w+J0qwTHX9MrnVJQgxYHyVlfi27BK7r8+312z68X38vgQJIj/e2fEHmlrwXvbQF3DzXpovXJ3Jo03zRh6BfF8oq6EdO2xf5w0NbhDnRNILTflXty6DADK90DJTV1QjhaTUQBQbDStgxkM0Ok6FxPByDcVcs0+PJyYatmuBJ8Hh0gCOsJj9yyxewyYIIq8dd7IYt1heZJjzMUvSx9UfzHE3Wb3iZfsEk0QXkdHImmRKQU0OgMtVIjrbI8Z03dt6vt/zo6SsSJVAXOEoLM9/mDv3k2L+wzpkH72o9r0/XEu2mqrwKjOa9IUlvBlWk9hVAcQszAcqFQxwiU1TKC7N9kAXYfvAUOmcK4QWnzm5B5gCcJBRNs+TByoTkLylLNJC0KHlAwd64r3BMHuDcOmP+nkLKPXkkSoNAUYwBNfK7HfktGR0BNkQvT56Jm8JClZgqui5UhIpHULydAlOpV8D343pfR+zYFkDYBBfLG8tnW4uN/XpY+H7DmXPSNF5H2KhRLs5bnNojNxnrJsE21+dfG24zfkIzLpQUgcaep3daelBfczS5smGg3G1C7THNR0r2UgroBLiwF6bFW+/zdblUahJ+rb1enorB/1LD80KCPR8eohwx0tMPSRlFXLjLaKm9+zvZIIQyrm3DGBMMl516kicOcLGun2UvfZ8qik+awF+LANtez6JDsDygnBbAot61kNOZUgIMw0ykNgcQ7mkD4AZYKQM4wU5cXpOj7yBFoqBWNLw3I/rg3sb2xc1RKBKHp6gC65NNPSY4Gb+pGyAB66PjXt7ajs6EJ4o6CbEnbOCtmRz3yI3vQTUZBlvOMZOj0qxvZPnvIX3e+YbzmjULsIjr7t0U9W1R/bpP7k91j1/WCemttm5HUTIozLGHigFiLPoaOgsD7ZchiJEoH/mZjZ6Tz+njjQkZCr/gULPBdvWzIQtG0juKYaAjbU0sWKysY6dORjJnFxSUPmyb4N352fm59ej79ikjzGhw1rMNZzN7pzQq7YrkEWqh88Dc2RGipkFSRk5dZ0r1vHUs6P6qMlgGqMzNUzYdeHtGOgobmY+uU4XiwHBgiOKVVnlCJDxKU5/DpZdFPvkyoCRQow8UO5PteyFQv6/YYiVp6WhGHZ+CIINCmDna+vAoAU7mbE9UXndzB5mKGbLGwg==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM7PR02MB5944.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(4022899009)(1800799024)(10070799003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: hz3LkkuLIvuehlMUdDiKlrwfwn3mh/fxkmf4OzQeN1LWOJLW5mHCnZAOjOZCcMuACAu9j3pQXVz70BXSNC9wOuBMQ2PpIXC4GQRD8cXzfVS8UnlYMTNIDGtHAOdnAkOkPEXj6hP80fevoKoITO1upc3asNWV58a/4FDXIbIRJPSdoPnc/XDhXzUNF2h79Pamq7MdT5Rv6KNiuMshCff5iZl5X1m/RSQHqOcODqkiEM8gylDcQppEkR6agdKY/xk1CQjzZiMM+cRoIP0l8Qls6k87W1mrxplx0onr9BlVEP3Xaz+8Xr/7S5LGkogcIeJmscaxWanJMjBib9EMryVWPWzQ1tXzcTQBX/OxgbHb+bpkKjZ7bjt7xBVkS6xqsp0VggHwNk3o50EdF4X8glAR/llORLf++gYrfPxDbc8y0FO6fL9xx0yBmXkQm6vfItXgp8eIikIWLHgW90edmdNi2sdXdcE0mIZOAJ5gDcwrXSORbNlohrtOzqdWcC6ZdjBqKn0iJuSnw8kh2TQM9N4OnquKI0Oa+onxDs3MR1g/lntcaOjbxp0xvWgiCm7k7R3T4m8gV7TtQzOfjO/KUuRj1Tk/k5kJW15/Q/znGGNHz06sgVScAioUX6LAzgg9TSFGP0e0NlGC24rkowDRhL2iWAdn0Wg0yaLcjoYlvwcTVvMsNc9i4gYZqBhwo2HP/HCJoPWaNW3KTUAe0Jq4EKWU4UYdJ34TOHBwFMOqAMDEvVMKw8mWXHWFL6GNOp1i9UaRgQVsWE7mYDK2UHzguBx0DyM19VD0TjwPGu0icmQzLDr+N46o7YpZUK9Fimx8k3094PbdNSwMYWBhLbAdy0X1Hbf1uzRKVWqhuJAo09jhaq5dCJuvcAljT5ixRVynMth3t3bfPl9hj8vI0bV+8+Gg+YYVXpttQZfDD49urUc2d43UjykM51bzdxRJT+ZfR2WZL9L7obfQvChvFEY9ZRkWeecO/xxk7EgrQplE8PKiiXvO/o2sVviyOOrSXlrWO7II3JkLmIzapcbTVh/iqlsocyuY8eN5UsK3Sb3X2HXYWgdxWWO1gZmoMUo7HCh2K2ZcWL3k5mtsIapcwaTDCcAV8ff9kczrMD7U+U/MulULYfGsziSk+jF9RTtXmHVQ46yqZx6FPowUEGB9dlyA5u/NA2u5l47Ip3DZ92zVUvPm64PxPGkYzs++urYziwr7yxO3tvhhuuWDjmNi3OQXsOYr/w37kFXX4eAUxEGTNeLdU920phtGPejCOoTLldUMqC2k4zYxbjkfruaIAMJ2gVpxHI9/aVaSr/qR/EBOPZguG6ZRiV/hSoMKOnVyfTTKxAhzrdD7vLiGVwsr6kaXcLtqKsVDaGj2T5PsN2kYQE0PfmLYAsgvUwYyYv8ncYtMuXeq1NRYjptKYWOL+nHlyx4rIm8jWuAksnLIDEOP/M1QvGxf/S476QrFY06q5G1lz/1/xKjSckSPUXkk/tZnV3nKN1+uLIW71TVB1AwHJG1Vz3P9xB0E2dRuzV1+SCrTK+o3FX0A6zjHY888cbL8pMIC7phkbGG/Hn+KS0dF/TkefFBfL0Bv2a/NJW9+ikDPbetZYfFA/j4PV8HzSjPh042tp4rqdrfUfu5TMvnC9rjAhDckMKto1zSdTA9HH0KYOuHj
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: f0109b00-2e41-4c64-5a8b-08dd3cbb24c8
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5944.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2025 21:07:43.4712 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 8czzf74OMmnqSWEwLhiscDVmwXSgjWqePFfKaTtWgVekYXr/VAdAoJ+uA/TvERfX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR02MB5893
Message-ID-Hash: AQYFMJ6KSDXEALXWWKFBSF2K6RQAVYJJ
X-Message-ID-Hash: AQYFMJ6KSDXEALXWWKFBSF2K6RQAVYJJ
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption Call for Trust Anchor IDs
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jD3iJOdXQuyjyjAxy5MhClBAYOg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I read both drafts and oppose adoption. I think Dennis'
draft contains good arguments against doing this, and
separately, I think we'd be better off devoting effort
towards efforts that go beyond, rather than fiddle-with,
X.509, so that there's some chance of not needing 50
year old X.509 code in a decade or two.

Cheers,
S.

On 15/01/2025 15:59, Joseph Salowey wrote:
> At the trust tussle Interim in October we had consensus that the working
> group was interested in working on the following problem:
> 
> “Avoid client trust conflicts by enabling servers to reliably and
> efficiently support clients with diverse trust anchor lists, particularly
> in larger PKIs where the existing certificate_authorities extension is not
> viable”
> 
> After IETF 121, we asked for submissions for possible working group
> adoption as a starting point for this work. We received two submissions:
> 
> [1] Trust Anchor Identifiers, draft-beck-tls-trust-anchor-ids-03
> <https://datatracker.ietf.org/doc/draft-beck-tls-trust-anchor-ids/>
> 
> [2] Trust is non-negotiable, draft-jackson-tls-trust-is-nonnegotiable-00
> <https://datatracker.ietf.org/doc/draft-jackson-tls-trust-is-nonnegotiable/>
> 
> [1] defines a new protocol mechanism, while [2] provides an explanation of
> why the mechanism in [1] may not be needed and may be problematic. Since
> the second draft does not define a protocol mechanism we are not
> considering it for adoption, but we request that working group members
> review both documents and use [2] as input into determining whether we
> should adopt [1] as a working group item.  Adoption as a working group item
> means the working group has change control over and can modify it as
> necessary; an adopted document is only a starting point.  Please respond to
> this thread if you think the document should be adopted as a working group
> item. If you think the document is not appropriate for adoption please
> indicate why.  This adoption call will close on February 7, 2025.  Also
> please remember to maintain professional behavior and keep the discussion
> focused on technical issues.
> 
> 
> Thanks,
> 
> 
> Sean, Deirdre and Joe
> 
> 
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org

v2.37.1 | Report a Bug | By Email | System Status