[TLS] Re: [EXT] [lamps] Re: TLS Client Certificates; a survey

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 24 March 2026 12:21 UTC

Return-Path: <prvs=9543c0dec0=uri@ll.mit.edu>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 611D5D0A08C5; Tue, 24 Mar 2026 05:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -3.296
X-Spam-Level:
X-Spam-Status: No, score=-3.296 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ll.mit.edu
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEjkEPMXUenV; Tue, 24 Mar 2026 05:21:21 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) by mail2.ietf.org (Postfix) with ESMTP id D97F9D0A08BD; Tue, 24 Mar 2026 05:21:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ll.mit.edu; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=dkim1; bh=qOz0hz4fVzWwuD1DDGK3g8uGyLgZ 5F4R6cO/twLvZEk=; b=wVjyJ8BbLMDLuorB3MVNPVU3oxq4/KjldfbvSkFFcbOl r6SMWG2e5U7ydvSf6OY/cHcte+QyjkY72rC9iQc0+tXY7/Z6FlKOv9j8vzjV0uhJ 6DU2Bz4iB6ou2QWCVL7BRJkjzNI8fUkDdtJjDelp35fIFSQGUG0aTcfYkKZNRtk9 +2Q5PWo/8DPClyJEDjqgAwMQB497qt6rV6TLvfq3Rl7eK51YXVw6BHd0DWpT1NMN /CTfNHys38CW4285vhR7HDf+FMN+DklJDsuLyUdF9vVNXUoiuOCX6mEqtgbsTW4w B/7ykDLdFurbCnD2uZ+cQff+ykvjxGMD/hVwgyf3Lg==
Received: from LLEX2019-01.mitll.ad.local ([172.25.4.97]) by MX2.LL.MIT.EDU (8.18.1.7/8.18.1.7) with ESMTPS id 62OCLJbZ020962 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 24 Mar 2026 08:21:19 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=y9fnY1eCb+G3IfV/E0k1nibYAoIL4LIPBPiC25i646buSRMe4gKijh+3NFM/JwaiSBN0Mu6Ruw9cHChLw8nn/WjsY+kT9UhShbiuN/YpBUINGNLqKAgzcl+uiKLtG6b0UonWJx7p7gfhuPDy2tQjqfMUeunDlMKKdRquvtMu6ttYjiIHAyV7O+Q2qIWqU6O8iM24Rin+PY51+9srYP5kq/SvkIJX0s5574VaD6se+X3qiBqaONbDjD+7ztzXaC8JMAviq0VzWxmjOu57+JdpbR4ROnSwLdQoPi4vi+kwPrG2Qf5bWIbHu5ZB9XoX33BcOTZ7yUsPALR7OjrCL2pbGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qOz0hz4fVzWwuD1DDGK3g8uGyLgZ5F4R6cO/twLvZEk=; b=of3+J+rQaVOQ4y6v6svGgRUtIONIcCMEezKrWw10n71rthU8lh6tkxDk6j5PhtzItDY1rJ+jfmAhv+UJizniu4UVQ6ixR6PmafCMe4heTonm9t1m3A2UvScgwkPd3zKRvAlcI4dGNCqk1ap9wTv4Vn8yQUom0F9/oEJViLhkokmXwC4FH5X/KDNfYm8bjIN4ys1IBvV+/T85/TjFWKG2b9NR8g6jfBlmIIEFtUkzYKN3jmvYqVepiSmgth2XBC5qLSPCz3GAFrwLBsiMgYW98qcu9w09VqHVSALZ6fwK4PXgepJCD60EZZn8MArXbQfmHhGOvW5muMUtnlzlwEvBzQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Phillip Hallam-Baker <ietf@hallambaker.com>
Thread-Topic: [EXT] [lamps] Re: [TLS] TLS Client Certificates; a survey
Thread-Index: AQHcuKVJrYdrF/JPLkipdE9y9SFFB7W9DbcAgACSW4A=
Date: Tue, 24 Mar 2026 12:21:16 +0000
Message-ID: <CDE146A9-7707-4F58-BC8B-E3FC1D55D31E@ll.mit.edu>
References: <CAMm+Lwh6mN3gi-EqOsaHrvKyWqoyexrWyMr640UFcHv0EtmXGw@mail.gmail.com>
In-Reply-To: <CAMm+Lwh6mN3gi-EqOsaHrvKyWqoyexrWyMr640UFcHv0EtmXGw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0P110MB1419:EE_|BNZP110MB2557:EE_
x-ms-office365-filtering-correlation-id: e6c23b36-7728-45f5-009b-08de899fd920
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|6049299003|10070799003|366016|4022899009|18002099003|56012099003|22082099003|38070700021|4053099003|13003099007|8096899003;
x-microsoft-antispam-message-info: EFfjS/5E2tPgsXCVgAjeWO7lHK6hj1sFkCEKtK4Xb5IMs861lNabjROTH/w+pl76juGc0nSwrBc/QXOL62KaXoQB4ntn/kQzTNIXyEbBNZhtTR1lG3WhVD8QlMD8u6cy1Y9GYFDuOklrCj1H1MwaJ0syAyQVCtMdC2cSskGiRcSx6GgwM1EEm3cyFLCjOYZEu6I2CAMOfdBf5FPehYdPlNwtY1c8QIGyK+HupOtMWppDT5o8fzmgp04gcX0oh39uACpGvfLOpc0OlQJLAUICnS08aJlxY8aZT8qEn1rW6mzv01sYIOH3D38arX24U7kwjwxKO1R0wSxSrmMVIXDn7lamr1HR//5YcdRqxTf1MXYDJjt7fxBnrDgmJa28tgULSC8GiGhOc/Z7w0coUYECJhYvNDHwijvoRiraCXVLtxfvaArSgXkbdVPAB7CTacNtG5iRo7SVhPo7SPXBa7Oa9XHPmZs6tF/CZ08GBzNRiUTal6PGrhIUDIO/PRR04hyx5KPIB5jIQuXavdXTjeY2X2crkn658U0nTOPictgDR4AgZWRCg51UqYwBnpwM0LhP75iWeoh4JOPBcuIW0fp/WjJQ/xYGsYKIl7KQecX06Oi6poZ2NpM3orjbMsO3te5AHZmag8y3KpG30PbPj9GyXJEhKfhh9RDhRSYD7osDduIIqlV+4WaMG7BKhg0N0EJPO7RtKfMPb77rA7tz5v3X/aGAtWo1dBKBR+24rFLR/58=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(6049299003)(10070799003)(366016)(4022899009)(18002099003)(56012099003)(22082099003)(38070700021)(4053099003)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h3Ai6BbXDR4jzTlNB5dn3tKZqH+OYPe9ljgRYjZbdNSBz53F0fSKznh7zvQ+rfVCXS3AyIPIxE6ATxlTOkLcmh7gB6b0BqhXvOH5sMmankZD1euqtBB+NG9ysGSOHldj9BNHlUXEH8YHLIcNtoeKdfVNXWzkLcUklO6B3boWqm/vIXrABaSBSn2dn+vIpmd5BGY4k2y001Hci6JXOHYDbL8+1+Hzb7Qv83O8OYVE+y7b6XYH9i2qRk+fe4Xvs2JyQIQ0reu5N1sdZDN1321q1BkP7bqahYXEMDWVW1cbRipGJhVIPZjnMOa5M67pySeQPSxXGtxhK9mKjuW4GC1GZbnXaWkFfWt2vwG9PIASuA1hKP9Swm86WvwQhVJUhEa7UcHemKo6034XVtzOjZ405zjKY9A0oh0ApaZbI7Wq2Eki3wVJ4ujKCFQWjJsJKdf9xNi3/tAZpeQAJz3+n0IssqL/Au9XwLy5AET0zs5SRw/LHXZ/sOfaZ/nIPWUV1gMNjrN6P33A/jVXJsVKD1FQVToagVlVIvL6K443XouuCDKmgq5jhI5gkn8PyOxfABm7IaVZQ6MWA06cqpDN6TxUzi4a1PRXpB8vCXZv1sKnerZ50BabMY54Tjd7dxNC8Uz7lh7eqdvCdDxgLtxeFIK/n9obEiyLqxpS2/ykM2eaK5IqGlojGc38YZmXyVVL8O1Twsn4v/B19WuLNSRYge10D/RQLi6Tgd5eG5VXAZ6IfVkBpZu61WghOKykzdzTIquAv8qVDgCy/myhYZsX3KCUpGRiMxGNud7BO+E+LXTsqDLj+WMicFROV7FPTtNbCw6NP1rBK/ECQm0OzMEQkR06O4lSQ0CtB4MeyR3xFv83XihrfmDpOWBfaLxKxMGPbxnS7aWN5TSh7nxe36NWOo7EzAC1vED6BFfz9pdWZdWLnpxmtH+Hl7RvO2ULi9oaTJq5IRQqHLGHp2H+f4Papdk/oqXjg0+reodknX8ICsN0Y+FCMMkUzXQQ0Zca6pEao9JZq3zCy6SyBVzybkDF/sJL25QvVpIXnXFdf0T2ILOIm8bjHk7V4qdvzwPGWEBmmpoqVbWr6DXu5gee7VGs4vBs+JXuR7cInUu+Wi/Iq6zFQJpVBMTdmAzOVs4nSBFeZhOOyNMEHxyC/+zlRv1WJfTqLgqwloFjg5gFPIz8RP8qXsRPcb0al74vyn3vqEqb82aO6mQuRg6/7EnCcnyNs1lmhY9jERs0tmhGZY3bZ4hJ29/3VxphWXkLCXpUQLNm7hrXDhKpe/O3/5Qkp0iR0my0JSMk/Xl2zo6EYChmId9b+5vaWrWFx1hr+V4dPmJyaWKjU2iXijgn2PU15XNxP2pGw3L65G1Ul2SXCwCfNEW4dmtxqpNbIDBrU7vtydCDxJFcMdy2wyytzbvk83LMhBl2KVfL9RHSUgUoiOo1uq44746l0FvqfpejBqICkuDlxf25zBG59hbLToo+oeRXcIHRHSsSRa+XKGtQcWQDdJ7EHSxLLZ2soWRj1+Fu0uj7PB8R
Content-Type: multipart/signed; boundary="Apple-Mail-288ADDEB-74E0-4671-828B-9CB73E4389EF"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: e6c23b36-7728-45f5-009b-08de899fd920
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2026 12:21:16.8732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BNZP110MB2557
X-Proofpoint-ORIG-GUID: sqXxYaKSddD0nmweaStzXrw8JfWrXZaW
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzI0MDA5OCBTYWx0ZWRfX+K0XedfegQRV o9+QLXlpud2eMbgeIx3n+IytTQh+F/TqPXa/JyksX+RCZNbIV6kaqmDQ4QqhMT7Hp62m+GYcPBM 3gyHCNGJ2hSn7zCorfm5w5qJfCLhauQ5EPDyy+OkpWBFqRHHkP0TBbozSnR2AAuTBGZ9BxQ/ack DFEt6rCPogqg0i9twuKt2QzDqr+XOZ+AGwcSHx2+i0mXRQAGC4zEbANM11ZiOr9+6fV9DB9MzRI Xd9byi+pgrNuNwWFe21z27ZHja8oetO6FHPDox2TzkSvLgV28GDKW1u48lEl8XXq64zt2tTiaF2 H59ZtRV+72OWtncWqka
X-Proofpoint-GUID: sqXxYaKSddD0nmweaStzXrw8JfWrXZaW
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-24_02,2026-03-23_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 mlxscore=0 spamscore=0 suspectscore=0 adultscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2603050001 definitions=main-2603240098
Message-ID-Hash: FA5RXNAGGSVFLGKH3VRQQZSQK67D6QCH
X-Message-ID-Hash: FA5RXNAGGSVFLGKH3VRQQZSQK67D6QCH
X-MailFrom: prvs=9543c0dec0=uri@ll.mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Rich Salz <rsalz=40akamai.com@dmarc.ietf.org>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [EXT] [lamps] Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lkLXC-m2SXo0utLqOOZMkrMveSY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I agree with Viktor, and confirm that we use serverAuth and clientAuth with non-web non-browser apps. 
Regards,
Uri

Secure Resilient Systems and Technologies
MIT Lincoln Laboratory

On Mar 23, 2026, at 23:39, Phillip Hallam-Baker <ietf@hallambaker.com> wrote:


What application domain are you considering using the client certs for? I have been trying to work out ways to make client certs work in an open PKI and have come to the conclusion that PKIX is just not the tool for the job. PKIX is a really
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside the Laboratory.
 
ZjQcmQRYFpfptBannerEnd
What application domain are you considering using the client certs for?

I have been trying to work out ways to make client certs work in an open PKI and have come to the conclusion that PKIX is just not the tool for the job. PKIX is a really good tool for deploying client certificates within an organization, that is what it is designed for, LRAs, hierarchies, that is what all that mechanism is for. Issuing certs for federal govt. workers, no problem.

The cadences of PKIX just don't work for the problem space. Most times I would spend more time updating my cert once a year than I did making use of encrypted or signed emails.

But I just could not get to a way to make it work for general Internet users and I really don't think Web o' Trust does either. Which is why I spent a decade working on the Mesh. The original plan being to give everyone a personal PKI.

And then I started looking at DNS handles and their use in BlueSky and I have a much simpler solution that I think addresses a lot of very interesting use cases and a part of it is already in CALEX.


So the starting point is, I want to put all my cryptographic contact information into my JSContact (VCard in JSON). So not just one public key, all the keys you would need to talk to me via any protocol whatsoever. OpenPGP, S/MIME, Signal, Git, Code Signing, everything that needs a key.

Next thing is to have a secure means of authenticating updates. So that once we exchange contact information, we can communicate securely via any application protocol I support at the time, including protocols not yet invented. This is a bit I need a bit of lobbying support on. The idea is simply wrap the JSContact in a simple binary envelope and sign it using JOSE.

Final thing is to provide mechanisms for exchanging contacts. And this is where I have a second very small bit of mechanism, a URI form that has a single key that is used to locate, decrypt and authenticate the content. This URI is essentially a bearer token for the signed JSContact blob and it can be exchanged in many different ways:

* Add it to every email as an SMTP header.

* Put a DNS handle on a business card (@http://phill.hallambaker.com" rel="nofollow">phill.hallambaker.com links to a TXT record _contact.http://phill.hallambaker.com" rel="nofollow">phill.hallambaker.com with the URI

* Encode it in a QR code and exchange the contact in person. In this case we mark the contact entry in the user's address book as directly verified.


Now none of that gets to the sort of Trusted Third Party credential validation that a CA provides, but a TTP could easily offer that service for signed JSContacts as the need arose. So certified JSContacts for doctors, or engineers or whatever, sure, can do that. But that is the special case, the rarity, not the one to require everyone to start with.

We can reinforce the trust infrastructure in various ways like Merkle tree authenticated logs and such, cross notarization and all the fancy stuff I built. But you get 90% of the value without any of that.


I have drafts and I have running code. I am just putting another project to bed right now and will be back on this next month.

Anyone interested in working on this with me?


On Mon, Mar 23, 2026 at 10:36 AM Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote:
Since WebPKI CA’s will not be able to issue TLS-Client certificates, what are the customers and CAs thinking of doing?

Replies to be will be summarized to both lists. Please be careful if you use reply-all.

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org
_______________________________________________
Spasm mailing list -- spasm@ietf.org
To unsubscribe send an email to spasm-leave@ietf.org