IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 05 January 2021 09:47 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B341C3A08BB; Tue, 5 Jan 2021 01:47:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.613
X-Spam-Level:
X-Spam-Status: No, score=-2.613 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oodJG_Ct88rB; Tue, 5 Jan 2021 01:47:30 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80041.outbound.protection.outlook.com [40.107.8.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEBEA3A08B0; Tue, 5 Jan 2021 01:47:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Uf4RUqZussZXRE8kiwlX0K1BFlTyubnN/UqmmqnbFhSGTWyHtcxFUBiQJqJVsyjZMND0JVxKgKfdI7ZNp9KkDOxqJESeFPuoPumNZVsMcVwxDVsgD8m7Dp0fWMSyFPuZoyptjmmFWbCr9dhqwZJtX25YAEKPXh9h9/Z8vXwXpCFgAXVYC6HjMhAaNncpp48Guf63y72JpUjafHrZHf19+xwIP6YvyZBGnJACUHE8MglV9xdeCsAUGMgvw4DdNcNREBx+Ooe24LNAkg5hCIsVwgPNpv+vRKKMknK6szG6AU8e1CnSNS9OQ2pormVKuQf8OMmBiwdYMBmwQrk/iI3/oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zyG35c1H1DxDegSzynvdj8K5qJuTxckQCTFxjOYFNco=; b=ZRmrjM+R8R5Xj323l9gMi7U6f5sSwnitBkmnXR5ujuFZFkfVeByKbX5AZ74Ko3TTaCFkFgsNXE5059yGUHHqSYRF/Yc7CUBPmzaW1pSqU+633vbKApfqjhM8ZNKIHJ387CsOgU9EXivrfRLS4CVZ9D1ci49BkeH5ihbgeKGUq3JmE5OfHhXJVpVqbPDvafSNGUsJNvb68ciARfgAhenuud4qxY3H1MKNo6ZIOl7IXOwKdsnxwS3/l4ln3QnSRIqF6De0Cwlj0F7GgX+NDI7w4/Rj4RRfXaTYCSAIztCaQ2VAwYjHg2ZvLWpOktP7b8rUS4w8aFjkRz/S3XzQks/h5Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zyG35c1H1DxDegSzynvdj8K5qJuTxckQCTFxjOYFNco=; b=g2wPzMX50tKzK5w7RL2JMK9eXyHyroProVS7yaJRPA/1e7eFzWsBrr7bBAjdTKHuXECTEbrIQpj2d7Y3E2IxozRbQ8D+Gtp2eOvHoVAMI6zEklHPhWCmQNRpTUY+pqPtwcwJ0AHf41m+px8Af4F4S+/OfP1iDDRahNuO64qMuxA=
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com (2603:10a6:3:70::13) by HE1PR0702MB3545.eurprd07.prod.outlook.com (2603:10a6:7:83::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.4; Tue, 5 Jan 2021 09:47:24 +0000
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7]) by HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7%12]) with mapi id 15.20.3742.006; Tue, 5 Jan 2021 09:47:24 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Martin Thomson <mt@lowentropy.net>
CC: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "emu@ietf.org" <emu@ietf.org>, "tls@ietf.org" <tls@ietf.org>, Alan DeKok <aland@deployingradius.com>
Thread-Topic: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Thread-Index: AQHW40fFS0YPtTFHBEWM+84ed4Ivmw==
Date: Tue, 05 Jan 2021 09:47:24 +0000
Message-ID: <2aa31d9d-0603-5c5e-de3c-0dc780516863@ericsson.com>
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <20201216223842.GR64351@kduck.mit.edu> <0f2b05db-5c98-43d4-aae3-cf620814bacc@www.fastmail.com> <7745bb87-a946-c739-007d-9d3be1212e19@ericsson.com> <bddc3a92-acd1-46cc-84ad-aea013c544cf@www.fastmail.com> <5E1CF713-D917-4E9A-869F-21A4174D0562@deployingradius.com> <5ec5d8a2-a8ee-40b5-9b43-3d1bde2b0032@www.fastmail.com> <20210105052640.GO93151@kduck.mit.edu>
In-Reply-To: <20210105052640.GO93151@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.67.160.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5b146709-fc2a-461d-b66d-08d8b15ee7ae
x-ms-traffictypediagnostic: HE1PR0702MB3545:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0702MB35456B8A052DE1DA9B88E8E6D0D10@HE1PR0702MB3545.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mMTzuuLBE0jhll8dvSUWZDbagYhzefn0oN8vSqDUQXGlxnDBbgBVeVbUoLzDU5PCskhlhrjdobRu830cbB+QunvMYCSrdraf+7oMNHPtA4AIMoI8t/mAgWLioGFXxVu++oCF/EHPWB5BCc8ZwglIO5R5Oy+EVzII11Hhl7+QDNYQJs02O65TKl3OrCT8wgoxXN7EW9/2NUXayTbCfyAk8MQwZzwikyg08rSLLXdjrPlrfV1cQLjrIbNh9p0qVlo7obxlAuW7pvc1egtv1dPoQow7UOOsyB0pV1eegVWk3SLt4udNdTS6ZjQiBew57cRcWm/hUvAT4RiYR7PfOGeDW5ya4VImfLhzSSAh3Qc9QGOs3XBfuYUvS0tTv8mPBe+emUUgDwPQn6qodssuCP28yKW62pnn8Qp79YhxaWElesJOHYLL7zH0Js0HuXzrx6aOSXKH1vHx1OCUoNwc4WNiq0i06KI1AMq0N4wfdFcR+wYC36R+Fc5ln4cLJSCH4LHGJVY2bAMabsTfUsDNPoj09MWI3V6Q8JCkU5rmjchWoEh0oOLy2ohVb0zcoYukHkWn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB2394.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(39860400002)(346002)(136003)(396003)(8936002)(30864003)(86362001)(83380400001)(2906002)(31696002)(71200400001)(76116006)(66946007)(66556008)(66446008)(5660300002)(36756003)(66476007)(6486002)(64756008)(316002)(966005)(186003)(478600001)(6506007)(53546011)(4326008)(6512007)(8676002)(31686004)(26005)(110136005)(2616005)(54906003)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: l6Fd5wwdkbzFa7ZD1RUHaduULiVsVSo2S2BpTbv9JRFeZEXWJ0wwI5nDf7JpT2EAmQbU3et1SW3TSaQIKSqcRWWvU5I/9UrTMGBw6mAF9RsQSdENTJMEBaTcXiUif4iep4ngMMFEKu3iRbeuR8x7jHeNFKUs1Z9/ySxNpVqgcOtNGKVz0tZjxG8W1OcqHIJkNcXFisl2BF8jo3ROsbPCcaXrtcDdzg5GEO9CgNatyllBkiOvA+U95fjduPkaGjhn67siT98+qGN3RLPhDJ2ukJ6XVGrxo1sjon3cNwp5oiz/0iRPvkR77+ZQgZIkZrX4TSuVL6KfBsM+CBagK7GTPbZtcptentvUhydWDN5jhadYFpk6oCiIt0v+WY1LyUKZLe89hdEba+XTNMFdiQiGIwZf1jaAmS+zA0Xau6S6tJkQhyPWAJqnWdqHAXAddvdQnhwoEluZy7bnlClS2mMhox8oI+ihKy4fqMIwHyk+bC75CSOncP7tG2ZfiQsCMiHdlk6RB7tW5aKLXkqmgr4OZ6jrnbz8/kn7J2qd1N6UmPiYmKkFqnguOoCpIMV/WIofKeHhwxkkL5nkK67XyDbsvd5lNTtMbkRaRiPKwdHdgloKnvFaRN7FVxnvxgoJsgAeVMxXg8rMALatmAPj1NiPkImLyiN9Wds9LUMJ3WnH4Ao7+BVByx8ER0rUjS9RHIReh+lmC09DUl1hEhBTtIaV5VYp9Xip7bipz6BsiG7XpQRIlJ5guiy1eySv2zoWuvxYDnAA+ciD0QHMcNeqYklGfrRXDFuZjUIxaMSyssY9E0QBguTxX/rnNoEz3huSaiEyqB74gIryU0aDYCMkKGpAnKe5Wp/ZZqIUT9AgaKm6kC+IJrhnq9Iy6FzaaTG/2vxSWaqcwdL53ajvT2NyiLuZ9A3kt7qOn6miUhsln47lsVI/XswlA+R2PlRVuKAhFfFuhQmAQCTfCity5ISCfqSSlmKHs7mb6pASExDPJNfEjEE=
Content-Type: text/plain; charset="utf-8"
Content-ID: <F82575C81F076B4591A70C4DE137BF83@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB2394.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b146709-fc2a-461d-b66d-08d8b15ee7ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2021 09:47:24.3384 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rc12PqNNVFck0kgANStS5oTJArcr1iaGzh9Uep6EzsJiwidwp5YNP6DUyAR92XsA9T8KLqGp01AUeGE5ZqfRlCJDLvtW+29F7VZWJZ46TPM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3545
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oz9PJDYd5NpDZ0qhv0hn1Ym82kw>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 09:47:33 -0000

Hi again,

The following issues are related but not exactly the same:
1. indication from the server that the handshake is complete and it is 
okay to tear down the tunnel
2. indication from the server that no more post-handshake messages 
(containing NewSessionTicket or something else) will be sent.

We can't rely on EAP-Success as an indication of either since that 
message is never delivered to EAP-TLS and it maybe lost or spoofed. 
Ben's discuss arises from 2 and not 1. More at the end of the email.

On 1/5/21 7:26 AM, Benjamin Kaduk wrote:
> Hi Martin,
>
> Thanks for chiming in here; your insight has been quite helpful already.
> (I am going to reply to the thread in reverse order so as to not duplicate
> what you've already said.)
>
> On Tue, Jan 05, 2021 at 02:50:15PM +1100, Martin Thomson wrote:
>> Hi Alan,
>>
>> On Tue, Jan 5, 2021, at 14:05, Alan DeKok wrote:
>>> On Jan 4, 2021, at 6:26 PM, Martin Thomson <mt@lowentropy.net> wrote:
>>>> Your point about reliability is confusing.  I've read Section 4.2 of RFC 3748 and while it says "A peer MUST allow for this circumstance as described in this note.", I see no explanation of how to concretely make that allowance.  Are you saying that EAP methods don't really use EAP-Success and condition their behaviour on other signals?
>>>    EAP-Success by itself is *not* a reliable indication of Success.  See
>>> RFC 3748 Section 4.2:
>>>
>>>     Success and Failure packets MUST NOT be sent by an EAP authenticator
>>>     if the specification of the given method does not explicitly permit
>>>     the method to finish at that point.
>> This is fine.  What you might be concerned about is the nature of the signals that the EAP authenticator is receiving from TLS.  What you had in the case of TLS 1.2 was the stack providing bytes to send (which were to go in EAP-Request) and then, after everything is done, a positive signal saying that the handshake was complete and satisfactory.  That latter signal is the important one.
> Yes.  Part of what had me so unhappy about this document is that the
> Commitment Message is discussed only as a "promise to not send more
> handshake messages", not "an indication that the handshake is complete and
> the TLS layer is happy".  (Furthermore, what Alan writes below about
> "cannot distinguish a "finished authentication" EAP-Success from a
> "spoofed" EAP-Success" really needs to make its way into the document.)
>
>> TLS 1.3 muddies things by allowing bytes to be sent *after* the complete+satisfactory signal from TLS.  That's what you are grappling with here.  What I'm suggesting is that you don't rely on looking at what bytes hit the wire, but wait until two conditions are complete:
>>
>> 1. The TLS stack says that it is content: the handshake is complete and it is OK with whatever the other side has provided.
>> 2. The TLS stack has no more bytes to send.
>>
>> The latter is likely where the confusion comes from, but if the stack doesn't produce bytes when you give it bytes, then you don't need to keep waiting.  For what you depend on, that's enough.
> I agree that this is probably good enough.  There may be some complications
> depending on how badly the availability of session resumption is desired (I
> know OpenSSL provides an API to let the application requst a new session
> ticket regardless of whether any were sent with the initial handshake -- I
> wrote it -- though I need to tweak it so that it will not always wait for
> application data to send before sending the ticket), but I believe this
> provides the key functionality.
>
>> The mistake with sending application data is that there is no obligation on the part of the TLS stack to order its sending of NewSessionTicket relative to the application data.  Nor is is possible for you to correctly distinguish TLS data that contains your Confirmation Message from a record that just contains a little bit of a session ticket.  But you don't need to worry about that.
>>
>> An example might help illustrate:
>>
>> 1. ... many steps occur
>> 2. Client sends EAP-Response ending in a TLS Finished.
>> 3. Server reads that message, processes it and determines that the handshake is complete and acceptable (e.g., checks the client certificate against its policy).
>> 4. As the server is happy, it writes the Confirmation Message to TLS.
>> 5. Server asks TLS stack for outstanding data to write; TLS stack provides a bunch of application_data records.
> (In particular, this is the TLSCiphext content type that is
> "application_data", and the inner content type could be handshake or
> application data.  The application doesn't have visibility into it.)
>
>> 6. Server writes TLS records into an EAP-Request and sends it.
>> 7. Client receives this and sends an empty EAP-Response.
>> 8. Server sends EAP-Success.
>>
>> This is, I assume what you intend here, with a little more detail around steps 3-5.  But what happens if the TLS stack prioritizes application data above its own maintenance such that at step 5 the Confirmation Message is written to the wire before the TLS NewSessionTicket?  Is that a problem?  What validation is the client expected to perform at step 7?
> I would like to see a more precise description of what properties are
> actually needed by peer and responder here, yes.  I agree that TLS 1.3 has
> changed things compared to 1.2, but the text currently in the draft doesn't
> do very well to motivate why this information is important, and (at least
> to me) doesn't give a strong enough justification to merit the awkwardness
> of the proposed design.
>
>>>    With TLS 1.3, we don't know if the authentication has completed until
>>> the TLS layer sees either (a) CloseNotify, or (b) application data.  So
>>> the EAP-TLS implementations cannot distinguish a "finished
>>> authentication" EAP-Success from a "spoofed" EAP-Success.  Because the
>>> EAP-TLS implementation has no idea of TLS is done, and therefore no way
>>> to tell that the EAP-Success is permitted at this point in the
>>> negotiation.
>> As I indicated in my response to Mohit, if the intent is to provide the client with a signal, then using TLS application data to do that is imperfect, but probably OK.  What would have been ideal is some EAP-layer message that is authenticated somehow.
>>
>>>    Therefore, we need an explicit signal to the EAP-TLS layer that the
>>> EAP-TLS method has finished.  Discussion on the list went back and
>>> forth between CloseNotify and sending one octet of application data.
>>> Implementations have done both.  The conclusion was that the one octet
>>> of application data was slightly easier to implement.
>>>
>>>    Plus, sending CloseNotify precluded the TLS layer from sending a TLS
>>> Fatal Alert:  https://www.mail-archive.com/emu@ietf.org/msg03092.html,
>>> which says in part:
>> I agree that sending a close_notify alert isn't ideal - during this process.  I also agree that making sure that genuine handshake failures are reported reliably using EAP-Request, that's just plain good sense.
>>
>> I don't understand why you would want to send a fatal alert after successfully completing and accepting the handshake, but if that is something you care about, then that clearly rules out its use for signaling success.  I didn't suggest that.
> This somewhat gets into another point that I was hoping would be discussed
> more.  (The proposal for "close_notify" came up as the in-TLS way to
> signify "no more records coming", which includes "no more handshake records
> coming".)  The perceived issue with "close_notify" as the commitment
> message, clearly discussed in the linked message, is that "close_notify" is
> unsuitable as a commitment message when being sent in the same flight as
> server Finished.  What is very unclear to me is how often that state could
> actually be achievable.  For one, if we do move (per the previous
> discussion) to the state where the "TLS is done" signal is something like
> "TLS says it's done and has no more bytes to send", this situation *by
> definition* cannot occur, since TLS will not report the handshake as
> complete until client Finished is processed.  Even if we ignore that,
> though, we have to consider the interaction between resumption and client
> authentication.
>
> My understanding is that EAP is primarily used as a mutual authentication
> protocol, i.e., the client has a certificate it's going to use to
> authenticate, and the EAP Peer's identity is the identity from that
> certificate.  The desire to send the commitment message in the same flight
> as the server Finished stems from the desire to avoid another round-trip.
> But using TLS resumption will *also* save round trips, and in these
> pessimal cases where the certificate chains are huge, resumption will save
> a lot more than one round-trip.  But, if you send the commitment message
> with the server Finished, you can't send a NewSessionTicket that includes
> the client certification information at all.  So by gaining the 1 RTT from
> moving up the commitment message, you sacrifice a lot more RTTs by losing
> resumption.  Given my priors about how this is going to be used, that seems
> like a lousy tradeoff.  I'm happy to hear that I'm making invalid
> assumptions here, but it seems like you would only be able to take
> advantage of that 1 RTT gain from the commitment message for the case of
> unauthenticated clients, in expected deployments, and unauthenticated
> clients seem to be rare.
In figure 1 of the current EAP-TLS draft: 
https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-13#section-2.1.1, 
the server already announces its intent of not issuing NewSessionTicket 
before receiving the client certificate (potentially saving one round 
trip). In figure 2: 
https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-13#section-2.1.2, 
this is done after receiving the client certificate (causing one extra 
round trip but at the same time helping with resumption).

What I am gathering is that this commitment message should instead be 
made into a confirmation message, i.e. it should only be sent after 
receiving TLS Finished from the client? This would result in one extra 
round trip to both figure 1 and 3 in the current draft. So we would end 
up with the same number of messages as RFC 5216 for full authentication 
(https://tools.ietf.org/html/rfc5216#section-2.1.1) and actually do 
worse than RFC 5216 (one extra round trip) in case resumption 
(https://tools.ietf.org/html/rfc5216#section-2.1.2).

Maybe this is acceptable? The draft anyway notes that "Sending the 
Commitment Message in a separate EAP-Request adds an additional 
round-trip, but may be necessary in TLS implementations that only 
implement a subset of TLS 1.3.". In which case, I am not sure if the 
reasons against using close_notify apply anymore.

--Mohit
>
> -Ben
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email