[TLS] Re: PKI dynamics and trust anchor negotiation
Mike Shaver <mike.shaver@gmail.com> Fri, 07 February 2025 14:44 UTC
Return-Path: <mike.shaver@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47DAEC169435 for <tls@ietfa.amsl.com>; Fri, 7 Feb 2025 06:44:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxu0kiuRRKXh for <tls@ietfa.amsl.com>; Fri, 7 Feb 2025 06:44:26 -0800 (PST)
Received: from mail-oo1-xc36.google.com (mail-oo1-xc36.google.com [IPv6:2607:f8b0:4864:20::c36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4E9C14F6FB for <tls@ietf.org>; Fri, 7 Feb 2025 06:44:26 -0800 (PST)
Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-5fa2685c5c0so830043eaf.3 for <tls@ietf.org>; Fri, 07 Feb 2025 06:44:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738939466; x=1739544266; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0MPmao4fsN19hflZ98WWq91scM20AYDz+GrU4SirBNI=; b=Dmx7rR7K8v82Tnu42g5n/PS3OGSQdI19XzKhsXlmiwrFvIAGc0WJitKHA51PQKxyH+ A//5bXdZL1UIN5batgUAsWmXXY39gQJzl899GXR0tKy211rP3IkeeyvONBPOhNsZ3YDr 9INRTqe+2bUeJX1yiRKIt3ZThDpPndDs14pQibIiEGdqILx79bXQ693xCPRBc2g1bQw3 dZu3Orr22O43h2UL25Kb03uumNqCGv4AzxsKoguyCcMVEAhW/R96wwV4GQEc12+IvNte mdxpyHy3vfVioZMQf4GTMwXwI7Um6NDnldpGz+9LfJPl0dDnLIDCmTAWtjXWRXEwPSCc aGUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738939466; x=1739544266; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0MPmao4fsN19hflZ98WWq91scM20AYDz+GrU4SirBNI=; b=fyBqjE5fs4i8EUexZo6vcb74O9VMowpN8Kn8xAxyAPxVnUIU0k7vJhyl8dRvdv63y3 gkCDXGotF2Q1iUfuwXoqJu02ewygJy4Uzh+RdojpaLNR1btkGPHV4BtCVYzUx/Y+FGIQ YbIh+EdL/H/HHEcUpq92cTPJW8psqKUtcTL/8748839QRtgX7Iouaj4auY6qH5jfNcHb Tu0IauaPccb6qqsLZPkt2yDqLxUJ1k/BdBjuXh4Cci9frzIBVyLVpU5QUOCSj1bejJNx Up2EmCt5gMezvpYWesT8TczLAfsFUU+Qgz/1/EPKNkDy9EtYrHrJP8X9TLauPK6UbqHf //Cw==
X-Forwarded-Encrypted: i=1; AJvYcCVOmXwr/dicSCRbwkarH0LvdlfZNeEV14R7Sybxma31ivGFtquG07xxHu9zSIZNYTKPRX8=@ietf.org
X-Gm-Message-State: AOJu0YwNa+93aMOi/HefibPDUhkOYPxQGw9OVEi5tmEYcb6ZT1RFts8s GodTvFc9DJs0YNfbTx85Sb40q/r+sOP5Pf5PuBaKKI4GXHqlb65UN7vluBfaDhlug8+ckk8dRPZ n5cxfWe269fMxdqARCawR/3TKr/E=
X-Gm-Gg: ASbGncuHPMvE8noK14qAvcVQOqCxkLjPd88aSUn2d0syxxcgkMY0hmAQZVpvwqmHcci 5d9kbGx76qS3ie2aJK8YwSWlqhRrCSNofbmPVHE+d2jNpbSFtzJf/yBaImiJ5HsM1Pd+ZitoP
X-Google-Smtp-Source: AGHT+IGDONv98VR8FqgV4L5/ts/j0sGvJv2Mt2sQR5o+P7yxXbcCUpN8f8nP5kKp2qucu0m9A5A6hC1cYL1KeApDnP0=
X-Received: by 2002:a05:6820:1689:b0:5f6:4be3:5a3d with SMTP id 006d021491bc7-5fc5e6f52e3mr1914562eaf.3.1738939466038; Fri, 07 Feb 2025 06:44:26 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaANSCodvYKAxSJf1EFnJaXmFAfD+USCg+kRVY9eRa1zow@mail.gmail.com> <CACsn0ckxGKq2pnNrRXqyb1UtHnJHunByrEmr3o=1Y5XrWx4X0g@mail.gmail.com>
In-Reply-To: <CACsn0ckxGKq2pnNrRXqyb1UtHnJHunByrEmr3o=1Y5XrWx4X0g@mail.gmail.com>
From: Mike Shaver <mike.shaver@gmail.com>
Date: Fri, 07 Feb 2025 09:36:13 -0500
X-Gm-Features: AWEUYZlXDryTY9BSHZxScidiY890THjYViKS1vZJqyUDPQGW3EPCrTD4WkmFzf4
Message-ID: <CADQzZqteTezp4tfC02voQ2wr1U0WY+2sBrWwEgg-s3AY2ZChnw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000028c591062d8e65f9"
Message-ID-Hash: PDRW4O3GP6UY4NUYV2O2LN27FPGVGCJF
X-Message-ID-Hash: PDRW4O3GP6UY4NUYV2O2LN27FPGVGCJF
X-MailFrom: mike.shaver@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: PKI dynamics and trust anchor negotiation
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sB75HdyjXhwtDByfYrFUeNcM4JU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Watson, On Thu, Feb 6, 2025 at 8:10 PM Watson Ladd <watsonbladd@gmail.com> wrote: > A negotiation where what is advertised is an inherently opaque > pointer, and where each side must maintain an idea of what that could > mean, does not have this property. Servers have to explicitly act to > support the new identifier by getting a configuration that includes > it. Whether or not this is indirectly away as part of ACME doesn't > really change the equation. New clients can't count on server support, > unless they advertise an already existing value. There's been various > ways to express deltas to try to solve this, but they all involve > paying a penalty for deviation. > > The dynamic I'm worried about most then isn't fracturing: as you point > out there are some countervailing forces where people want easy > support. Rather it's that we artificially drive up the price of > picking different CAs than the dominant implementation. I very much share the concerns you've articulated here: increased barriers to entry both for new CAs and for new clients which have different root-management policies than the existing dominant implementation, and outsized penalties for differing from a "well-known set" as might happen from having tighter requirements on CA operation over time. The opaque token seems like it could lead to the properties that you (and I) wish to avoid, but when expressing my support for the group taking up the draft, I felt that the specific identifier form for trust anchors was still mutable, and therefore that it wasn't a barrier to draft adoption. If I have misunderstood, and identifiers must inherently be opaque in that way for all forms of trust anchors negotiation, then I appreciate the correction! Mike
- [TLS] PKI dynamics and trust anchor negotiation David Benjamin
- [TLS] Re: PKI dynamics and trust anchor negotiati… Salz, Rich
- [TLS] Re: PKI dynamics and trust anchor negotiati… David Benjamin
- [TLS] Re: PKI dynamics and trust anchor negotiati… Watson Ladd
- [TLS] Re: PKI dynamics and trust anchor negotiati… Mike Shaver
- [TLS] Re: PKI dynamics and trust anchor negotiati… Dennis Jackson
- [TLS] Re: PKI dynamics and trust anchor negotiati… Bob Beck
- [TLS] Re: PKI dynamics and trust anchor negotiati… David Benjamin
- [TLS] Re: PKI dynamics and trust anchor negotiati… David Benjamin
- [TLS] Re: PKI dynamics and trust anchor negotiati… Watson Ladd
- [TLS] Re: PKI dynamics and trust anchor negotiati… Bas Westerbaan
- [TLS] Re: PKI dynamics and trust anchor negotiati… David Adrian
- [TLS] Re: PKI dynamics and trust anchor negotiati… Watson Ladd
- [TLS] Re: PKI dynamics and trust anchor negotiati… David Benjamin