[TLS] Re: Adoption Call for Trust Anchor IDs
David Schinazi <dschinazi.ietf@gmail.com> Fri, 07 February 2025 01:06 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0086EC1D61F7 for <tls@ietfa.amsl.com>; Thu, 6 Feb 2025 17:06:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JLK-wuM35GW for <tls@ietfa.amsl.com>; Thu, 6 Feb 2025 17:06:14 -0800 (PST)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06093C1D8D57 for <tls@ietf.org>; Thu, 6 Feb 2025 17:06:13 -0800 (PST)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-aaf900cc7fbso282405066b.3 for <tls@ietf.org>; Thu, 06 Feb 2025 17:06:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738890372; x=1739495172; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OmTj/h2pt/hPWpcdkecjwJ5fjxYijnZ1gxM2Ljd0Wts=; b=Jnbf1PlzJ8fTaMOUNuW3krbQV+ikP/tokmYdcs/duQ1H/oY3q831QchMAn0f4S4ngW 9J+b1cXiV/mTXgVuS/uXnZ2COtxoc3Fn1kMpBdOWN+nsi4h+ry4QirFDgRFc6UmM+XK2 +12wE4iEoeXb3NF9MSa3UPYTvAXIucOQBxrF5JCq0x+eS0m1nM8mv/TTuDVdFTFCOtBN fC79FVsldYtwc1rMcw//MLv5lpmjpo9ZuBXDox1p5qYeCmzAMOAW4aoubt8qZ/TfLIWK eHsccV9l3hTy6GwQ/dMgG9bad6cNllKhnvyQK7lu31tOjuWJtTRxnEdbc2JbUw2SLIC+ T6bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738890372; x=1739495172; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OmTj/h2pt/hPWpcdkecjwJ5fjxYijnZ1gxM2Ljd0Wts=; b=iAQGRcqOWrIK3FOnw8BBL3nuXC8lawb/lZJAvXc28IjiHE60fINmFxyzWL6g62TolA XOp5Iy+xOCvYTFMwGr/96ZRMc352Zi0kZ2ph8lP2JtxZHSVs4dFn7b5G6K0A4riDU2E3 qJgwuGyntPsUfHRXUZekJHy0W/g3EKjgQ7yQZ8ZGo+qIKr7hhRyhhZBadyFGvcgFQ2ic BRRrT6jqJ10qfv+mnaS+tu4h0mqTgnoZQdn+oPTK7EARAB8nxdl98PNZW7vY9yrySR+6 Ybsx2P2iWN8kpRCwUAYP7Hads+mXBf8MeV3cyjAMAvnRhuZb4o+N7QIRMrfCarjxNdcT ERAg==
X-Gm-Message-State: AOJu0YxMFjLt28nju3/pMiCRJejt5s9+Of/Xn09ZNfZzh7i/NCKZDQz3 7rXzpZ1I2qASsiKQLI3C89XIHAz0I8XRq86IBsrH1sgQftUVGhU0H3fYRa4yCCndRhXi+spDkJB 2xclC5w0yFNP8hqaFDvrXpd2wl6zbKGXl
X-Gm-Gg: ASbGnctgkXe21FAbpOP7yE+CIC/f6ToJ/Y0WdpzsqozbmssTQWMXIhQVy1hlD26QPNN U1wokYzhhPbItkCMrCv8wwCkbyG7p9NumerV6hJ0AGMHyu2O5YstTI4NOq54Dvn/Q34Aty0U9Rw 8=
X-Google-Smtp-Source: AGHT+IHpwK0nPhPhgvdKW0DjZg4hNwD4DaouMoC2TtJh/bhopCpkIrU415qFlOx9vG62c/sWwuGhrj5F573jC6C61/k=
X-Received: by 2002:a17:907:c285:b0:ab6:32d2:16d4 with SMTP id a640c23a62f3a-ab789c35448mr93177066b.56.1738890372176; Thu, 06 Feb 2025 17:06:12 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
In-Reply-To: <CAOgPGoDHaHXAcpXjtzoA7U-T7B0LoqxSxXsbp7-Rq+gF3shj7Q@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 06 Feb 2025 17:06:00 -0800
X-Gm-Features: AWEUYZkPr9Zso1pW_eQIgHR1_4N7sTQW8hTDQwfdMMaNnfz1QTJWu51YgaeO_V4
Message-ID: <CAPDSy+6Abd_-OrFLJagE329yqfF38V_O-ucgUw3=Ex8EOj6=Eg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="000000000000efe1dd062d82f666"
Message-ID-Hash: XAG367EYBFCILNPHSP2QLQMFSIBW4ZKG
X-Message-ID-Hash: XAG367EYBFCILNPHSP2QLQMFSIBW4ZKG
X-MailFrom: dschinazi.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Adoption Call for Trust Anchor IDs
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ldBzjLcTc8vB3EXcBZVH1aaomeM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I support adoption. I personally agree with the consensus from the trust tussle interim - I do think we should work on the problem as described. Not that that opinion is particularly relevant, because the consensus has already been declared by the chairs anyway. On that note, I haven't seen new information that would warrant reopening that consensus call. I found the trust-is-nonnegotiable draft to be well-written -- though perhaps heavy on the amount it was citing the TAI draft -- but I did not find information in it that hadn't already been said or written on the topic so far. Now that we agree that we want to work on that problem, I think that TAI is a reasonable starting point. I find it more compelling than other ideas discussed in this thread, such as extending HSTS. I agree that this space might have risks, but as we iterate on that solution, I trust in our collective ability to design something that solves the problems and mitigates those issues. Thanks, David On Wed, Jan 15, 2025 at 8:01 AM Joseph Salowey <joe@salowey.net> wrote: > At the trust tussle Interim in October we had consensus that the working > group was interested in working on the following problem: > > “Avoid client trust conflicts by enabling servers to reliably and > efficiently support clients with diverse trust anchor lists, particularly > in larger PKIs where the existing certificate_authorities extension is not > viable” > > After IETF 121, we asked for submissions for possible working group > adoption as a starting point for this work. We received two submissions: > > [1] Trust Anchor Identifiers, draft-beck-tls-trust-anchor-ids-03 > <https://datatracker.ietf.org/doc/draft-beck-tls-trust-anchor-ids/> > > [2] Trust is non-negotiable, draft-jackson-tls-trust-is-nonnegotiable-00 > <https://datatracker.ietf.org/doc/draft-jackson-tls-trust-is-nonnegotiable/> > > [1] defines a new protocol mechanism, while [2] provides an explanation of > why the mechanism in [1] may not be needed and may be problematic. Since > the second draft does not define a protocol mechanism we are not > considering it for adoption, but we request that working group members > review both documents and use [2] as input into determining whether we > should adopt [1] as a working group item. Adoption as a working group item > means the working group has change control over and can modify it as > necessary; an adopted document is only a starting point. Please respond to > this thread if you think the document should be adopted as a working group > item. If you think the document is not appropriate for adoption please > indicate why. This adoption call will close on February 7, 2025. Also > please remember to maintain professional behavior and keep the discussion > focused on technical issues. > > > Thanks, > > > Sean, Deirdre and Joe > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS] Adoption Call for Trust Anchor IDs Joseph Salowey
- [TLS] Re: Adoption Call for Trust Anchor IDs David Benjamin
- [TLS] Re: Adoption Call for Trust Anchor IDs Bob Beck
- [TLS] Re: Adoption Call for Trust Anchor IDs Andrew Chen
- [TLS] Re: Adoption Call for Trust Anchor IDs Ryan Hurst
- [TLS] Re: Adoption Call for Trust Anchor IDs Brendan McMillion
- [TLS] Re: Adoption Call for Trust Anchor IDs Robert Relyea
- [TLS] Re: Adoption Call for Trust Anchor IDs Loganaden Velvindron
- [TLS] Re: Adoption Call for Trust Anchor IDs Martin Thomson
- [TLS] Re: Adoption Call for Trust Anchor IDs David Adrian
- [TLS] Re: Adoption Call for Trust Anchor IDs Watson Ladd
- [TLS] Re: Adoption Call for Trust Anchor IDs Mike Shaver
- [TLS] Re: Adoption Call for Trust Anchor IDs Stephen Farrell
- [TLS] Re: Adoption Call for Trust Anchor IDs Thom Wiggers
- [TLS] Re: Adoption Call for Trust Anchor IDs Bas Westerbaan
- [TLS] Re: Adoption Call for Trust Anchor IDs Clint Wilson
- [TLS] Re: Adoption Call for Trust Anchor IDs Kyle Nekritz
- [TLS] Re: Adoption Call for Trust Anchor IDs Christopher Patton
- [TLS] Re: Adoption Call for Trust Anchor IDs Kathleen Moriarty
- [TLS] Re: Adoption Call for Trust Anchor IDs Dennis Jackson
- [TLS] Re: Adoption Call for Trust Anchor IDs Kampanakis, Panos
- [TLS] Re: Adoption Call for Trust Anchor IDs Nick Harper
- [TLS] Re: Adoption Call for Trust Anchor IDs Salz, Rich
- [TLS] Re: Adoption Call for Trust Anchor IDs David Schinazi
- [TLS] Re: Adoption Call for Trust Anchor IDs Christopher Wood
- [TLS] Re: Adoption Call for Trust Anchor IDs Joseph Salowey