IETF Logo Mail Archive

[TLS] Re: [lamps] Re: TLS Client Certificates; a survey

Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com> Mon, 23 March 2026 19:00 UTC

Return-Path: <Tomas.Gustavsson@keyfactor.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0B653D0246D2; Mon, 23 Mar 2026 12:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=keyfactor.com header.b="kQCqE3DE"; dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=keyfactorinc.onmicrosoft.com header.b="kxPnKkBQ"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PKiFxQHKbhd2; Mon, 23 Mar 2026 12:00:31 -0700 (PDT)
Received: from mx0a-0041f601.pphosted.com (mx0a-0041f601.pphosted.com [148.163.147.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 886E8D0246C6; Mon, 23 Mar 2026 12:00:31 -0700 (PDT)
Received: from pps.filterd (m0365589.ppops.net [127.0.0.1]) by mx0a-0041f601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 62NHcbE43477592; Mon, 23 Mar 2026 15:00:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=keyfactor.com; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=pps1; bh=iZJxnnTYQ1pQWZqCOgqIEQM721Nad 0GYg6AwraGr9wM=; b=kQCqE3DEKlXFiAG0Lq5j1eGVdHlfZtrqeAHrtkNt1WS9c WyhgYX+w45TSdgXJTjklkBx+L48tcTrksOSfny2qhrx//Iis1gyepG/e27ywusgW FqBqwgtv4GipdgtZpfqhhIyG2wEWXMJHv4Tsx59KWWOXJdlCjjzH8mjUy/KgFi8K X6/dbSV3IwKF5JzJVQNcm/9EbdML4fUugHwzTmpFBIPLLpqtBq6OQu2jIX2mjkZ6 pkTz0Bsv8RMuRRfgZb4JHISVJlnIW8DTh0fwCSlPdJtMCrHCZlhS04foA4UhJTf1 ZMkVhvhz8SmFWEaYtBPKZ7m6sIq0EJHPJn1Czaz9w==
Received: from am0pr02cu008.outbound.protection.outlook.com (mail-westeuropeazon11023132.outbound.protection.outlook.com [52.101.72.132]) by mx0a-0041f601.pphosted.com (PPS) with ESMTPS id 4d2bfw144e-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Mon, 23 Mar 2026 15:00:22 -0400 (EDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f6RZK6K2yBJELGyWyV9zmVySa8veqnI+Bv/XqqiZxSvHY1mWsoYcOdRe5iDjwe3C8pGcxo/ieSECQgPvrWs2gYtAM8PZeDhJUDFsj1hjfCZnNwKw0uvdz7VVVHGD2BpodgImiOELD4Ep9AgUF+P6KPBMbKLjUct4d7Lqc3PZS7VR/lnC9EoYEkyMRjS0zgnoh+oYPZaTsvm4J5nYUpLJtE7+8BOshR8Fu55sDsY/nPzhi7v/e80FHQLPzxZoLI9ow7J8o9zf0gkb6LtWxmTjVRpcL4X98zUQfUycqIJlX4TGUEgUBrnZVvec644dUPO0NK57U4FqjLCyEKjoIvhDsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oQuXGIPYCI3fsQan6LRxuhOo74pZT1n4kmpkYHAIdk0=; b=jOkKjo9o8vwS4FpL113BbjuJkVuFHBMqeckRuEM9dmAau/L3ofkSCmgG/fAQImGzIXDRsivJVsfubDBqzJbuLBqjIyvixTuQYrHjFGHa3u4eEwhCcAK2hXERBghZUZjt2Ja2N8KkUlvJs0KymGVGXL47RTYlu/qK6D0JlwVTNTAz4oicMdNacKlzOge/iN455s3/3TSMqI6y+T5I7N8d/gpKe4M0e/UH3uW4ALuZ0YcjgLqJ+9BF5wWhu8+tw6qSimFEYwCtgzWrYEAjiOym8FtMNDQ+pzD84MfRPVTT2wrVBrKZSO1YEksggecEs0VbDt4r2NfwLA6QswfOFCaKLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=keyfactor.com; dmarc=pass action=none header.from=keyfactor.com; dkim=pass header.d=keyfactor.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=KeyfactorInc.onmicrosoft.com; s=selector1-KeyfactorInc-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oQuXGIPYCI3fsQan6LRxuhOo74pZT1n4kmpkYHAIdk0=; b=kxPnKkBQ1oluDswETtEb+KMXkYQJi8gK+wWmwGoQFVV8q0O8UFdqksQaqD+KFrXBHwv8BKtuRjNuf1RaY1EE9/I+AxoOeafulEOByDlJhdzVdvVwphGCWb1k/q8OKvSeX6c+AhxyrNyjjHxZa1JBnztB/ct4rs2sUY5kk6KzsE6+U3w94THjxh59wMw69h2lXmSWBMZJQ1NKD94wFn35HlRcGhnlUo3cPHuAJqzch3x6woDc6OVseLdPhfoNeEEnr6wXjn2Efqi4U76EMotNRd2sgbnkaG3/ZJIUhy1h8skIOVmb2pmuF2Rv0sfEx8IxwvJfGz2Dw4srf/qkLEMYvQ==
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com (2603:10a6:10:3ef::5) by VI1PR03MB6269.eurprd03.prod.outlook.com (2603:10a6:800:13c::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.31; Mon, 23 Mar 2026 19:00:16 +0000
Received: from DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::3946:ad3a:a1b5:e83e]) by DU0PR03MB8696.eurprd03.prod.outlook.com ([fe80::3946:ad3a:a1b5:e83e%4]) with mapi id 15.20.9723.030; Mon, 23 Mar 2026 19:00:16 +0000
From: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
To: Nico Williams <nico@cryptonector.com>
Thread-Topic: [lamps] Re: TLS Client Certificates; a survey
Thread-Index: AQHcuKVJrYdrF/JPLkipdE9y9SFFB7W8bJqAgAAChICAAAEVRYAABq2AgAAGQt0=
Date: Mon, 23 Mar 2026 19:00:16 +0000
Message-ID: <DU0PR03MB8696752ACDAC8E96F2FF493C864BA@DU0PR03MB8696.eurprd03.prod.outlook.com>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <4732.1774288835@obiwan.sandelman.ca> <acGB3/g8HMNNOP4J@ubby> <DU0PR03MB86960694D96A2E52CCED6440864BA@DU0PR03MB8696.eurprd03.prod.outlook.com> <acGIYQnwsIoFQTXA@ubby>
In-Reply-To: <acGIYQnwsIoFQTXA@ubby>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR03MB8696:EE_|VI1PR03MB6269:EE_
x-ms-office365-filtering-correlation-id: 340e8904-dfe1-4523-6e9f-08de890e6bbf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700021|8096899003|7053199007|22082099003|18002099003|56012099003;
x-microsoft-antispam-message-info: Mnx+yOvQtgTnB8dndTV9GJnhK1SOlydyKLGExEF7H7qNxQghTcmHnZHggY7ds8GXZxMSzTdTtXBFb548ju+diD3VPKDqsEOXA1hhWhttVHiA0BPcj18q5qSwXb38qh9cIDJocL5bxAUeo5TLAP+dPAsbK6wyXU1P3rQ7+tRp/NdVJo66Z+h5E4PGrL5Bwb75ppxzSvPaLl02ZhkYaNwIkKvufeeSEf5nvS9fRcHJmlj13TutlzTZS4JHZPPGfOYweSzCeM1xGQgD9f3GDDTsfVRiry2/n25kBB3CTwjM51UX0WYbOaHy3AikK1u5UrhVfNEOu/aWP+UuUBV4Xq7eXUpdrbeTCrlTwCOFXr819PrK7lY3pva5rcEA5k4FxPmvflZGpOaQR3Q9TLqtCpRZGH3IhY9iph40bOrz2jJaxdEfjp4ycMnNOPasOfP2QR7XMxsUCKjXQas3SeRffQn3cvrj990D4xZOSgh7bMUNKqdkgE+xLsOcyAifYtzS19dJnwZM9VelQ0miP+JQU6j44+05dFVIKwOBGci179jkIIe+kPa5VJUXSbnGZfmC3eMyBm0SGUa9uYJEfAPi1dXmtnKKkqo9ag0gEbPasUJjGqVvc94zQeIk/5A0r8BReoEZ0P+lVFzfd7KvbG/uCG3+e7lakttHJHjcDb94S+pIQ9/o7ski1oDU4l+vNbEK2TnLLu/dBkwGvwSW+hcklxGSSN16f16eExUQVf4r9av/aJt3sOtK6ZUVuQZmeuvNMLJ8mAkV/O399MXvueaNScnmqa7F+70lmw98ufmnQfrUiKw=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR03MB8696.eurprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700021)(8096899003)(7053199007)(22082099003)(18002099003)(56012099003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: En1f18hPaVxtAvB3xDUr5aCi2m7tNY0cAJPt9vTTakmw1WJCrUG6ls0nNEHYgjfpV5oxySsjIYXZTZX9vTOARDgH/gGPtvCpOKa5Svx4ZG5jjR1dvAnl3hgw3dSgOgkZt/aQc9BOjNYdyn0xd8DzJL6g2ygI5JoC9FfCzKRDIjcuCyxXts0BCz5Rta11MyI2n3w8Q9J8d7JyMGfXZ3149Fv6VQq+IXqUFgQGylRVI3dOabgV+g22+XNvQQnDU9Ok7N9a98IKpxRSZsSrjKoasuB5TL3m0MFJiWCbx8tSnb7Fex2mTFWbJ/V4FXnPc0slyik7lSi7vYC+0y+KfWNakI9+CZnFIvFeBlZofwQaB6CvydiUpupQ6IxDYPRYeOYqjmcpq/iIxdMGyMbPYUKWrkwPqQu5hf29COvwo8ovO0D8rzHRgndduhF0U8Sct723fAs/ETgDNMTpPFMVzvZZZj3cflo9wb7PL/mVev+b1FjI92tLnmjmQJ6pE9u4N6Fl7/K5yZEAEglW1j9wJC3wfM7zL7YaKEPKPxHIghT94g0Lu8311cL0j6L+Cpfg6gKxulG0CoNXNe1hRx9NyfCxwsE8qYT4ZsyfnLD743lglqFyscEd7NOxNLnM4ttm0hFd1JDvCAGUIdSQZVnAkP/zIwVCPZ9/B+kzAMlzJtCWZHUgpJrhzNcby18hQnELZp5X4ZJROKLiA5VSbAihEe/zyVxbmEefBSP65TWP/Iv7KAZWWflMuNmmxt46eHldE4QiArjJM680r2+vhD2496cIChWAOQDV0rbmjAhJ01kSj83at5ors5lyNM2OqQ78eD8a8fkZi/kLtirDnKuvOrI7bcA9SCEqcA9iy1jlgF1LxMsxiC/YwHmuApjxTyMiA1K+Np+BHxOdRrACdjDCiiPbySLTMCWAt8NVn52U4q3yHyp4YN1I/AGFTBQ4BR6Ap/16S+9JIvSExNmhUP19UE3+eXs9kD0QyC/N56EEY4VJ+41K9MzL2QoSHdTJmR4B82br7tvhBDZpxaTBNFnNMJSsevfITFKI0cO1jSUvpDaSCQMYcItT32Y3mEiLPg3kDUzfrUdDYPHIlpClzysaVQFvoM+6/NJO5UN8H/zoot87wSlR/fAHFuCkBlRqlbda52QDtSy/mgV2uOVYnn9l1EBdvFjB3Y3gHKDyve+md0IBa7cQnXmPz5euMtfPF1hNPS9NG8ibWGi64myzl5WqectjfG1/LT3pxpEY9QO0krN7oaK9yQzW2FRzlOc0+oiJ05nGX7Lwq3QOtmAJO533G9p675ZYXtKi8JuxU0M6nNvDr5vLpVMGaCaiChPnW440nHS6kNV6hfP3c0vtpVQ5WMovENKaDw7ILtPRfaI73IlwNLCLosW7Nhk306/sqVHySyT/JFeCURhEjPj/0rBwpJ+SIgU9wmunEnEU/fWrXT1yMC7DmOPPy3xzGRYTiAtT0W/t/s82QiyyEkoDi7bFWjs+390I1JsIvsCUe+zMyVT8Qh9tZzw1E93z+ompwIqqS2f1jwvcKFZzSHglkOUghhRftrHRShkfpVGKjVIdPYTMvllmxNGvyVFnFGJg3NmzFHnESBIos/FTXCpyCjEWisMHdcVSDz3p2DpkCDBO6dP6gBjvvrgBCej7H8U+M7poAVep64/HvJjIjouM+lo5lv4Apy+lSaMnzhGM9A8bx5t314P77ZxCMzzTI1tYjKbMbPYeCM+9ZTCDild4lQPMsPZIog==
Content-Type: multipart/alternative; boundary="_000_DU0PR03MB8696752ACDAC8E96F2FF493C864BADU0PR03MB8696eurp_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: mamh9Rmm0GuTypa5Om3Hpbc89sfBS0u7rspruOaGjIUkhnXa6RQkDl3rP237+3xp6bw7mmKG8gdz6IQQoAYRmTMH4EZ4re+423Q+wQEF6km0LL56mCJ3uCtWoWMhvGCppoB8XvGPyZ8sD4Cu/lNPg7+/adn2ixkygG8LOzEXmTWu6XXr/2Ch93NRNkoZgGZfdkMimOVm8JFV0YBntXXz04my+YOVoYPR+8CFOinovXxR0k6/APw3GMJ0Rm82IrYm0AIqd5BaXDqdR0VOW0jUisBhFEuh6yYYID4WegcuP0d3VyHbb6MmAKENQOlag7JyE4mOVMcgaZGIjmUTesKNxA==
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 19PF5L4YVZutHXQmyiQa3Ufxo0GWLDgeKTLh9/BRQUQ5LzSLPi9oheJyGxoh+UEMpJGaBQkTO9fw5R60euvirg5dwqZqobOQR6mJSo3w49HYa2Xre1tYkn+4DoS6Vl2VRmYn0iZsNbvypUxygj7odzNSpU+7ijxDrf2x/uQS5tsF1voEh633n5wbk+m6gYU3BalW8j7z9Van7aN/Fg1C8AwnFfqMWsC2Hm7SJUxx5VowxoM/9deQYfJEBEdHCVU43mfxLooNXoxduPQoPdjhNsPvIK+uSGqakSkdGrm25RU0upaLhXKoqKMyL062CvHN3ns0ZYJrm2neO6C91fk5fjvqOC55ijbxIWUTbQyKxWgnBBxtjVH9bKD6WIAPQPUTmCOTvew+KSJfq5HKsNsfkUw3XoASB9Vb+2Rt/8Q/HnwdRwRBZtBAO1mpIKyk/FXPGq68oKbIfdo1vmI+LYt28knLesaDgR0G2RwfsxZxkogYU8bb3uf8O4lqac262MwaYNlexmw2THF0XY/awRn4cHJNkw8SMtFL40K3GU1ORuBTMxl73J4boa0yCmM4q0NMRvFbqtt27/I7mHqCAv8NaCSgwsToenFqJX1COLvNbMlYm+xYApiAFK0woZ78jx24
X-OriginatorOrg: keyfactor.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR03MB8696.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 340e8904-dfe1-4523-6e9f-08de890e6bbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2026 19:00:16.3190 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c9ed4b45-9f70-418a-aa58-f04c80848ca9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jshdulSNV1DQwFU88YDvW1Jp6ziDSyYoR/oZACiwc3WqsCcibQAlXnt9Vz2B7trAIJkwnqKcLOpztcq6xhomH6KbTEnBoPsER/AjbVA2qkw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB6269
X-Authority-Analysis: v=2.4 cv=MN5tWcZl c=1 sm=1 tr=0 ts=69c18dc6 cx=c_pps a=LPI2imf8j5APCc84uOC4Hg==:117 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=Yq5XynenixoA:10 a=DmHMpGrDn5QA:10 a=VkNPw1HP01LnGYTKEx00:22 a=-aGRRlewcKq8627C9eKH:22 a=uRP9HAg-DybBxH3BLw5Z:22 a=RpNjiQI2AAAA:8 a=HFSN-iyQAAAA:8 a=D3By3HU7AAAA:8 a=l70xHGcnAAAA:8 a=48vgC7mUAAAA:8 a=LuQF4t9O7BNhTfN6HwAA:9 a=QEXdDO2ut3YA:10 a=yFywFNaQHJWPxk5X8AkA:9 a=2q4O/K3rjNU7EHYdBHB6dYyilSc=:19 a=kuYrZ7xTWvOX6rAJ:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=4qt2gk9rACu5LOv0616V:22 a=GbhPPLKizaWC3bbbynJf:22 a=JtN_ecm89k2WOvw5-HMO:22
X-Proofpoint-ORIG-GUID: 8gh2MJEuDLw0CxFNQjZ6-oHA2SoLc60W
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzIzMDE0MCBTYWx0ZWRfX0tTnypd6G7k+ DDZaWgWq3ncYmv7xDutorqS2XkTIFRcvnmu9Miss3ZECPP18gYHNH81RW4qEgVbMjhjBGPCwIzT 2gKSczSNHnSRUPwG4i90YSZENcC5a1Rlfj9ildREnXisVgRLSpIXNk+2BbAK3W49Vz2eaZ0svs6 80cxMu/3TwQJZY/A9xI7oT9PatiFvGX7J0i96bBSMd2lWtFIo74nGM/hLqqKDhKzVVuc5xp707J CZXrGXI4XkEiL1KWDvbCZyPIvAUE8bIi0upxpJWfPntENDpWdhbv7P/VFP2SBb7IE6NSmThxBxz q/Ecpx2MVH5P/S+pA4sVb67qKPrZmtXxgWe8Y4c7FzY2y6Dx5i4PomhZyDAjfrwuR6cI5T8DBJd JsFHmm11Fqm6DYV3CYSsdnbhwdQ09qKHPWhP48ERHxAYpxrecwV72xPsTDhULnnGmjNIu7NGj1A iWfrlf5YN8/lnQtDoaQ==
X-Proofpoint-GUID: 8gh2MJEuDLw0CxFNQjZ6-oHA2SoLc60W
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-23_04,2026-03-23_01,2025-10-01_01
Message-ID-Hash: 45QFVPMBOLUORVQX7YI24PCBFAVB3SQV
X-Message-ID-Hash: 45QFVPMBOLUORVQX7YI24PCBFAVB3SQV
X-MailFrom: Tomas.Gustavsson@keyfactor.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pPbkNwDeT_6iSFPSyBsFqh8IZeQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

It was in Alan DeKok's message.

________________________________
From: Nico Williams <nico@cryptonector.com>
Sent: Monday, March 23, 2026 11:37 AM
To: Tomas Gustavsson <Tomas.Gustavsson@keyfactor.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; Tls <tls@ietf.org>; spasm@ietf.org <spasm@ietf.org>
Subject: Re: [lamps] Re: TLS Client Certificates; a survey

On Mon, Mar 23, 2026 at 06: 21: 47PM +0000, Tomas Gustavsson wrote: > > We should admit that the CA infrastructure has failed us for nearly > > all use-cases. Either the CA infrastructure is the web, and > > (despite the CA/B


On Mon, Mar 23, 2026 at 06:21:47PM +0000, Tomas Gustavsson wrote:
> > We should admit that the CA infrastructure has failed us for nearly
> > all use-cases.  Either the CA infrastructure is the web, and
> > (despite the CA/B forum rules) it's OK to use web certs in non-web
> > contexts.  Or, the CA infrastructure is more than the web, and we
> > need to have new,, non-web CAs with rules
> > outside of the CA/B forum.

[I can't figure out who write this.]

There was never _a singular_ PKI to refer to as _the_ PKI.  The WebPKI
is a collection of PKIs w/o name constraints, so not really _a PKI_.

There is _a singular_ PKI of sorts today that we could refer to as _the_
PKI, though it is not an x.509 PKI: the DNS w/ DNSSEC.  My advice is to
pursue DANCE.

> There are tons of CAs outside of the WebPKI/CA/B Forum ecosystem. For
> web and non-web use cases. EU TSPs, X9 Financial PKI, Adobe, ICAO,
> just to mention a few well known. [...]

Right, and none are _the_ PKI.  There is no _the PKI_ outside of DNSSEC.

Nico
--

v2.41.0 | Report a Bug | By Email | System Status