[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
David Benjamin <davidben@chromium.org> Sat, 20 July 2024 18:23 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C46C14F616 for <tls@ietfa.amsl.com>; Sat, 20 Jul 2024 11:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.402
X-Spam-Level:
X-Spam-Status: No, score=-9.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Okf1gcjaa6Kw for <tls@ietfa.amsl.com>; Sat, 20 Jul 2024 11:23:42 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43201C14F5F8 for <tls@ietf.org>; Sat, 20 Jul 2024 11:23:42 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-e05f25fb96eso2748588276.1 for <tls@ietf.org>; Sat, 20 Jul 2024 11:23:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1721499821; x=1722104621; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zAKrUPIx0BK8jnF95ZSxR3VY/lI1hCBZbxE3dYYSmsQ=; b=mhwK1oPTWRAz2risMquKw1FAU3A+NroKlD5KPDcy88R1FcnC4jSHDGaLK0xHTIrj/e mBrwu9aIgPIQYrcWO8qpIO4bdkY1B4S+hR4yAzghKa9oNPC46miyCQzl/gWZ227syJEs iIZdR8F+/wvuPUyl2XXF1DPOEQfCsxIOqr+mY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721499821; x=1722104621; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zAKrUPIx0BK8jnF95ZSxR3VY/lI1hCBZbxE3dYYSmsQ=; b=kfya7rgRG2TpWY6EUQq/KGVeFTckJve1tjFT69Iuacn0gD2APYcgEGKqg8qZDJn3f6 gjn7S0iNTmAsUkYJkcEX88AQ3Guyue9CEfNs17CymDb39Vnjkps/Xy7yKS2RrHJILx6v aaJdA3YMDErAF3ccx6hrgoGQFt2NSL8mHHmpUiMQdiN353wk2qrpF/K3eG+Vb5ffXZrY MIJS2TGGLsbVv3I1NOs0tQSsYYZqZ55f1/u/JRNRbreymQJTp/zj3Nv/PJuA6aEpqjbC SzgtS5xkQy+5Wsd/ukdFBJfQijryj/93a7ycTnMuf6Oh8rnbe8Nu5EhYJKvR01HxdDlo pfSg==
X-Forwarded-Encrypted: i=1; AJvYcCU7UQtVfCStrrONMRaKyQIXmTV9Y7K8OvOh0P75vJkpb5HYC6lucGs7ENnewBZQ5TmOc01b1tuq4hZri74=
X-Gm-Message-State: AOJu0YyEvFHBtx2NXmQTxZYfsslY+qQWbInn7/p8lBT0FGmuoBqN3RoF 710J7eMbm5OpCUPEUQA18efPCpo+RRmXZsb580YN8T2ngWLUdhvcv05LqN0C/4HzBHinz+IrXDn EN+3Vbh/ZNRIdl/OFOYkvz5FBtEHWgpdY5yY0j8LV23Fgcm5Z
X-Google-Smtp-Source: AGHT+IEWod+urUGljS890iycG4hBx3c5tgRunn0q90lcRClBvsVQ53wUcE5QkaqCIrTVU0NfMcKZU6XIWxgZjiJ0Vyc=
X-Received: by 2002:a05:6902:d43:b0:e03:a2d0:3387 with SMTP id 3f1490d57ef6-e0870073c17mr3126901276.23.1721499821144; Sat, 20 Jul 2024 11:23:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2nvsT4qWqudiv1C1wZn6rB4_s-9EDENq5TXEbxr_ygcMFjDQ@mail.gmail.com> <CAChr6Sw+gxK3dO29F9bsLTQReJz6LzT2hZb5O7LAXmKzQbKTSw@mail.gmail.com> <CACf5n7_29CNXLf+SmpKKOWkc_3Oi2BZqZ8irU+z=3btJns_1-Q@mail.gmail.com> <CAChr6SxJ3r88a4Aehv_5fsSWb1JApV6Lg4hfwdm0Oh5x04_shQ@mail.gmail.com> <479BA457-9001-4EBC-A84F-9E3EB71E809F@akamai.com> <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com>
In-Reply-To: <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Sat, 20 Jul 2024 11:23:28 -0700
Message-ID: <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com>
To: Mike Shaver <mike.shaver@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000052e4c9061db1e99e"
Message-ID-Hash: 5O2EX5D4BLDLVI5EEFGMSDDZXJ2I2FIE
X-Message-ID-Hash: 5O2EX5D4BLDLVI5EEFGMSDDZXJ2I2FIE
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/noq4mCGeT95XYOfEIJAOaKYIvew>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Sat, Jul 20, 2024, 06:13 Mike Shaver <mike.shaver@gmail.com> wrote: > > > On Sat, Jul 20, 2024 at 8:59 AM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > >> Allowing various embedded and IoT stuff to migrate off of WebPKI would >> be of immense value. Such stuff using WebPKI has been source of gigantic >> amount of pain. > > > I agree with your second sentence very much, but I don’t understand your > first one. In what way are these non-web systems not allowed to use other > PKI models today? How would trust anchors provide that permission? > > Mike > If the same server serves both embedded/IoT traffic and web browser traffic, but we aim for the two to use different PKIs, the server needs to arrange to serve different certificates to each. To do that, we need trust anchor negotiation story. David _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org >
- [TLS]Trust Anchor Negotiation Surveillance Concer… Devon O'Brien
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Nick Harper
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Adrian
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Nick Harper
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Watson Ladd
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Devon O'Brien
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Watson Ladd
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin