[TLS]Re: TLS trust expressions and certificate_authorities

David Benjamin <davidben@chromium.org> Tue, 11 June 2024 17:08 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B7AC14F619 for <tls@ietfa.amsl.com>; Tue, 11 Jun 2024 10:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.258
X-Spam-Level:
X-Spam-Status: No, score=-14.258 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HnoNqt2y2Ytk for <tls@ietfa.amsl.com>; Tue, 11 Jun 2024 10:08:28 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 696C8C14F60D for <tls@ietf.org>; Tue, 11 Jun 2024 10:08:28 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-62a0849f8e5so62817377b3.2 for <tls@ietf.org>; Tue, 11 Jun 2024 10:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1718125707; x=1718730507; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RO23FwpyStz4Z/j9VtFhQnCq7172Je3qOvquVEDoJbU=; b=fjggvA+qEylrSbnxrUjvhiqM4QJX6Py03oBYxRVX5BWkEEK0w8jfvMzOQvMJvgMp2r Zso4bLJQWrI91zyHuWv2Wx/3x/9CV+rS5eYwxv5S1X9xUDSQwWfGApEz5Joi8S2c1OM8 zhloWUr+x36jDm3IXE7hAFjYeyGQZtzYWxMmU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718125707; x=1718730507; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RO23FwpyStz4Z/j9VtFhQnCq7172Je3qOvquVEDoJbU=; b=SI+WlW0Amv5lrBXWel2jh7kLYqPPl4JnB7OYznRRUSOwZdaIjThtWMoVksWiBrNgP5 EVzbrHtPgc4BxQDqqGRuwRJDFSZZaFUnuB0WbAG8wey0oiFMUo2hGUk2IlTFDu+8Xg9b nSa5TrGJ5/167KOgE5zqzJSnVmg2iJ20xXtcwQELo4JkDL6jwgWiDt8B7P5yZ5hUl6Hr CJLv/E2cEKfaMKevAkezbTBOqYpGh7Y7aZNVJXJRh794g0sFs12nUxnKCbPkDaAcxd/p rBohIaJOW1kAVY8ghjNLuA4rus6KSjKHGwv/mDlbWIR/gKrQ1YECgsO75mCK4yrjmYCL TYlw==
X-Forwarded-Encrypted: i=1; AJvYcCUy6gLdKEpuPLFyg+dOllm0vB66EaKoqg+D117wkcfvC3KoCoM4lMht26rx/OdA87e9MsCH8QNI78Y3kLU=
X-Gm-Message-State: AOJu0YxcqIqEIH0hiNTyfdj9v1qhrkNDO9fRZPciYKj6Vm3s/W/tLyQQ CAJkY49BiqZ+t8T7SPUP0S1II/s6Zpr/EMWHOtvwsy3TWLUGg0rLT1BJLG1r2BUtQP7rS5MGc8A FaALiMQtdiJJHQbgHDuTpay0YUym5lCuofczVffaHKAlLFZ0YdmEoZg==
X-Google-Smtp-Source: AGHT+IH5Zi6D3uD6Y9MgBSxoOWtytvaWL1vXl/EqcgmYLrm1BegVEff1hXPmyDJJbrSQ4IbLp9o7X7gtxK2jrS2mqHQ=
X-Received: by 2002:a81:b385:0:b0:627:d23a:44ff with SMTP id 00721157ae682-62cd5570773mr132670877b3.3.1718125705985; Tue, 11 Jun 2024 10:08:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2nvsS+75evXbaPqO55++a7qm1sUZ8JSpCvJNXwne-w9K3MTw@mail.gmail.com> <6dec3d25-cb8b-4b7b-ba63-62ea3ed5df12@cs.tcd.ie>
In-Reply-To: <6dec3d25-cb8b-4b7b-ba63-62ea3ed5df12@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 11 Jun 2024 13:08:09 -0400
Message-ID: <CAF8qwaAYGJ2TPa2wgZ2SKb65WAdhvAQ6XPvigYysXM-Vou0uOg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="00000000000062d38e061aa050e9"
Message-ID-Hash: 27DF6PJUHBZWLH6OW63F3T3T6WVTSXUA
X-Message-ID-Hash: 27DF6PJUHBZWLH6OW63F3T3T6WVTSXUA
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Devon O'Brien <asymmetric=40google.com@dmarc.ietf.org>, tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: TLS trust expressions and certificate_authorities
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lCE71MHhB7-pITb10nNfvDK9Bpc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Stephen,

We added some text to the most recent draft that addresses some of the PKI
dynamics that seem to underly the discussion.
https://author-tools.ietf.org/iddiff?url1=draft-davidben-tls-trust-expr-02&url2=draft-davidben-tls-trust-expr-03&difftype=--html

We've also been gradually updating the "explainer" with some discussion
that didn't seem to fit in the draft, and will be updating it with some
further discussion on alternatives and different scenarios when we've
written all that up.
https://github.com/davidben/tls-trust-expressions/blob/main/explainer.md

And, of course, we're always interested in considering feedback and
changes, where they make sense. As with any other protocol work, I'm sure
the final mechanism will evolve significantly over time as the discussion
shifts to different parts of it.

David

On Mon, Jun 10, 2024 at 9:38 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 11/06/2024 02:24, Devon O'Brien wrote:
> >
> > I realize there has been extensive discussion about trust expressions
>
> Just checking - does your mail amount to "we heard your well-intentioned
> but misplaced opposition, but we're not (yet) for changing"?
>
> I'm not saying that's a bad position to take, but it's not clear from
> your mail, which in some parts sounds like changes may be considered,
> but in other parts doesn't.
>
> I do plan to re-read this stuff in the run-up to the next IETF so it'd
> be good to have a sense of how the authors are considering the list
> feedback, and of course, if changes are planned, reviewing newer text
> would likely be more useful all around.
>
> Thanks,
> S.
> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>