[TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 07 April 2026 19:31 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 358BCD7AABF1; Tue, 7 Apr 2026 12:31:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775590284; bh=eQySZOM1T/6VvhUlZe/GtPyP9XtbOst9hQZ8LtkzB7s=; h=From:To:Subject:In-Reply-To:References:Date; b=HT5dtX6qlXroYiZfblWPVXf40VNuQNowkZ/Pi+vVqv9N4BYllQpfNpghR9BUaG5Gh ehzLX/pwQE6BAC3shXOB3EYKPfwdS16QyjBfaND80+svhvCN8FI3GuTUffhqccXtlc 11APpYinQWP9rjKNYdaurmvG2Q/bI6YtWd5122bI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFn0l69U5jmj; Tue, 7 Apr 2026 12:31:23 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 922EBD7AABE9; Tue, 7 Apr 2026 12:31:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 4137D18010; Tue, 07 Apr 2026 15:31:23 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id j5Aonbs4Vwc5; Tue, 7 Apr 2026 15:31:22 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1775590281; bh=2sWwlhqaxVBctASelJAQ4U6IH7t+scE6VEU7yPTbOOE=; h=From:To:Subject:In-Reply-To:References:Date:From; b=MRkBAqcZwmtObIwfcMMYI9k9MfTUNvIImS/qwkFL6loR8KZBR5GU3h8d1FZiAKa00 82afdvLo27NLgUVUpxOADoDvT2gYXOaQ37W/CH1KEzfh7WkO95V9HHMo0iaMHbiULS I5lpHd526+Y0imbSuv5S7Qk7q/CHLM3Cs6SHdSx4iQsRcptSGq6sgrTUFT60N9sy7l lU/DyswpkOE9DD9xN+A+QBBVaLhUSXJ1eXsvgDAhecSTkgwYZcyapLol2zAUWvJSNi xhwvxQxfNiesxFml4SlHDjnYGkzCsohIF0GqqE85q/Z8TY7nGvquxYkyabtGWQYqXF aOPDRubV43jag==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id E0CEF39B5B; Tue, 07 Apr 2026 15:31:21 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id DE171182; Tue, 07 Apr 2026 15:31:21 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tls <tls@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
In-Reply-To: <MEAPR01MB3654D313ADD0D83693FB21BCEE51A@MEAPR01MB3654.ausprd01.prod.outlook.com>
References: <MN2PR17MB40314193002D42E6ED4F465ACD4CA@MN2PR17MB4031.namprd17.prod.outlook.com> <MN2PR17MB40315028C6985BD9F4F0C886CD52A@MN2PR17MB4031.namprd17.prod.outlook.com> <acrfWoDSHUrYj1if@ubby> <CAKZgXHqKBwYqjB3SOexT1B3=P2m83esgQTV74PJtjk+LGwAhcA@mail.gmail.com> <CACf5n7-n6xj35ukPznkes8rDx9-QWi+CDntt2Z5jcM1L+uo1RQ@mail.gmail.com> <MEAPR01MB3654DAD44EEA7037763885D0EE50A@MEAPR01MB3654.ausprd01.prod.outlook.com> <LV0PR21MB66235C39FFCC9E350BC982DA8C50A@LV0PR21MB6623.namprd21.prod.outlook.com> <ac15yB5aylmUnjc6@ubby> <MEAPR01MB3654D313ADD0D83693FB21BCEE51A@MEAPR01MB3654.ausprd01.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; Emacs 30.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 07 Apr 2026 15:31:21 -0400
Message-ID: <16825.1775590281@obiwan.sandelman.ca>
Message-ID-Hash: A6EDIR2ZR53IA76DOGQFDUVPZTQQ3DP4
X-Message-ID-Hash: A6EDIR2ZR53IA76DOGQFDUVPZTQQ3DP4
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: TLS Client Certificates; a survey
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qpf6V2xjn3kD5a4z7qi2TnK3zAc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Peter Gutmann <pgut001=40cs.auckland.ac.nz@dmarc.ietf.org> wrote:
> This is how rationally-written applications do things [*]. The problem is
> that, particularly under Windows, it's very easy to get drawn into trusting
> everything Windows trusts, which means in effect any cert issued by any
Feels like 30 years of this kind of nonsense :-(
> Does Linux have an equivalent systemwide cert store that everything ends up
> using? That is, do people use the NSS cert store or the Chrome cert store as
> a de facto equivalent of CERT_SYSTEM_STORE_LOCAL_MACHINE or whatever?
No.
1. the Chrome cert store comes with Chrome. Extensions/additions are
per-account/per-profile.
2. /etc/ssl/certs/ is the "system" trust store, but it comes with no
authorizations as to CA purpose. I can believe that people make the same
"trust everything" mistake, but I think it's harder.
> [*] In my case I tell people to key off the public key fingerprint since proof
> of control of the user's private key is what matters, not what some random
> CA decides to sign. So it's more like AADS than anything-some-CA-signs-we-
> trust.
Yes... very good advice.
But a pathology I find is that this is far more difficult to pin that than it
should be. Postfix and fetchmail do very good jobs of logging the
fingerprint that *would* have worked... The missing part is getting that
potential fingerprint into a database/admin-interface that makes it easy for
the administrator to authorize.
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [TLS] TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey John Mattsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Michael Richardson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eliot Lear
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Tomas Gustavsson
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Alan DeKok
- [TLS] [lamps] Re: TLS Client Certificates; a surv… Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Phillip Hallam-Baker
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: TLS Client Certificates; a survey Raghu Saxena
- [TLS] Re: [lamps] TLS Client Certificates; a surv… John Kemp
- [TLS] Re: [lamps] TLS Client Certificates; a surv… Peter Gutmann
- [TLS] Re: [EXT] [lamps] Re: TLS Client Certificat… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Jeffrey Walton
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Wei Chuang
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Levine
- [TLS] Re: TLS Client Certificates; a survey ml+ietf-tls
- [TLS] Re: TLS Client Certificates; a survey Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … David Adrian
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Stephen Farrell
- [TLS] Re: [EXT] [lamps] Re: Re: Re: TLS Client Ce… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Peter Gutmann
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Jeffrey Walton
- [TLS] Re: [EXTERNAL] Re: [lamps] Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Russ Housley
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … John Mattsson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Eric Rescorla
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Viktor Dukhovni
- [TLS] Re: TLS Client Certificates; a survey Salz, Rich
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Ounsworth
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… David Adrian
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] Re: Re: Re: TLS Client Certific… Phillip Hallam-Baker
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Blumenthal, Uri - 0553 - MITLL
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Eric Rescorla
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … David Adrian
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: TLS Client Certificates; a survey Peter Gutmann
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [EXT] [lamps] Re: [EXTERNAL] Re: Re: Re… Andrei Popov
- [TLS] Re: [lamps] Re: Re: TLS Client Certificates… Alan DeKok
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Jeffrey Walton
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Mike Shaver
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Ilari Liusvaara
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Mike Shaver
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Rob Sayre
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Alan DeKok
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Nico Williams
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Ilari Liusvaara
- [TLS] Re: [lamps] [EXTERNAL] Re: Re: Re: Re: TLS … Andrei Popov
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … 刘鹏辉
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Peter Gutmann
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Viktor Dukhovni
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams
- [TLS] Re: [lamps] Re: [EXTERNAL] Re: Re: Re: Re: … Michael Richardson
- [TLS] Re: [lamps] Re: TLS Client Certificates; a … Nico Williams