[TLS]Re: [EXTERNAL] Re: Re: Discussions on Trust Anchor Negotiation at IETF 120

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 03 August 2024 21:26 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 275E8C14F5FB for <tls@ietfa.amsl.com>; Sat, 3 Aug 2024 14:26:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.256
X-Spam-Level:
X-Spam-Status: No, score=-2.256 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWYmF57hHgRN for <tls@ietfa.amsl.com>; Sat, 3 Aug 2024 14:26:49 -0700 (PDT)
Received: from SJ2PR03CU001.outbound.protection.outlook.com (mail-westusazon11022118.outbound.protection.outlook.com [52.101.43.118]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AC2C14F5F5 for <tls@ietf.org>; Sat, 3 Aug 2024 14:26:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Q0tWJ3BXQiD2Gmjz8VDP+8mbvO0NINSMoSSuWvmoTiYQ9wymN+vcxJyrpw2swVgnvvnnWx47seXp3RTd+AkOENfi4bFrzElLT5eMK8947Ddx0Vtr/I3hBwM8UlWcWc2+bXMkIcXNL5XDXaYkgio2iGwdY/Q8nBpARG8B3d/7E0vG0+a/BFQgLbNfpM2VI3N7Ta4N1NbkYRXiYV1QqFGs/Sox83RnfbNsm3VztrZlsV8AxYbzWxzs8LQynzrkYKnKKo5kNCM79oR5mw46OsnS6Dh4cFI2aKt7qNO2DTft2rWBbsn+mDZH8GIEerjsgs0meh8t88eO6HvqZrUmshOKVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=V4y7GLdMWzd+LN7GW5lUMze9C15tE/W2/2QfDW6I/CM=; b=BNvOvUlTEeIrMjl0rCp3OnsJ+UIYwbHxm/X6TMI6MS2OpUO1kNl11cMqzE+QnIZ6SgdFRgDqxvb5MYH1Rdce6zb1Awozqc+SlObsaZr0pcsDWTlNRfS4LCKuqra08SR6p2Fn3D2gdH2Kn90a1h49CVNFjeClJv56cgrsPzopfTJA+YWhcumramKJZtAbE6wEVcHWZ5xxrBnWjFd0Z8EQzydFS+/J6mMssOKmBa87eeHM7nYBYzOlZ6PJRNiwy0OGuqYBtttwb4t8nCS4gdCJ5x22rW05mTpv+nydMr5UF/pNhg0eWdy7k1t7iCCuvej4tPDN/kGDmJMoF7DOET4aNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=V4y7GLdMWzd+LN7GW5lUMze9C15tE/W2/2QfDW6I/CM=; b=QgZaltd9PVlWSqfyTq8+xEyag7S+llK3LK1MGuaGWDtl4IUuqNKyohDHdSdArx/lebYxCUbnM0eprIfyGGPnIjpQehfRXdJm8LPa6JRIOJJxezEyvb2m5Ekzp8GcJiSHD8Bc/XOOdwqEkpZEejdbx4bzhGwJU/WnhcZu6Xt/Xpw=
Received: from LV8PR21MB4338.namprd21.prod.outlook.com (2603:10b6:408:22c::13) by PH0PR21MB2078.namprd21.prod.outlook.com (2603:10b6:510:aa::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.3; Sat, 3 Aug 2024 21:26:47 +0000
Received: from LV8PR21MB4338.namprd21.prod.outlook.com ([fe80::1f2f:c0d6:2e5c:12aa]) by LV8PR21MB4338.namprd21.prod.outlook.com ([fe80::1f2f:c0d6:2e5c:12aa%3]) with mapi id 15.20.7849.008; Sat, 3 Aug 2024 21:26:47 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
Thread-Topic: [EXTERNAL] Re: [TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120
Thread-Index: AQHa4dB49TS9BsGEIUCUSMrzUyYgYrIN+u7AgAGz+QCABf47AIAAZibQ
Date: Sat, 03 Aug 2024 21:26:46 +0000
Message-ID: <LV8PR21MB43383D41D3EA5707B352C8FD8CBC2@LV8PR21MB4338.namprd21.prod.outlook.com>
References: <d1589f89-35cb-489f-b195-30feb3e7e40f@dennis-jackson.uk> <SN7PR14MB6492663C2AE4A15639D62F5583AA2@SN7PR14MB6492.namprd14.prod.outlook.com> <e7aee41a-0df4-4048-8692-6805d06cfadd@dennis-jackson.uk> <CAEEbLAa5bZ3zQX=A74THsxtgkryF4sCVCt1P+BTdDi9faraciw@mail.gmail.com> <0d0bd7c0-a34d-47e7-84cd-22f25537495e@dennis-jackson.uk> <6114AF6E-6A7E-4CD7-BA19-3B2E25B7F697@akamai.com> <LV8PR21MB4338446115FA314EC48CB77D8CB72@LV8PR21MB4338.namprd21.prod.outlook.com> <SN7PR14MB64922D77E880AF02544F815C83B02@SN7PR14MB6492.namprd14.prod.outlook.com> <CABcZeBOqHtMs4DeBWExX7xtdb5z6ENvUwrfE6o7BvoMOdctnFA@mail.gmail.com>
In-Reply-To: <CABcZeBOqHtMs4DeBWExX7xtdb5z6ENvUwrfE6o7BvoMOdctnFA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=023e7940-ca7e-47ba-965c-79dd074f1887;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-08-03T21:23:59Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR21MB4338:EE_|PH0PR21MB2078:EE_
x-ms-office365-filtering-correlation-id: 973a38dc-c986-48a1-7fac-08dcb402fac6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: 9blgCa6GAn0BBnQ+ieCZ2BNH05GqkTymjqoTg+Cd/hwrarjf+beWWLsss23/15kcSb/UAZsC1pbLeeBgLlDrnhArVQnLeq5n+wHZiBWkQaYA2RQrcJ2tuu45VztFu76MyIlw+tmDxnAuUTP3TMaagNvWbCi9bW/w7UbYhi73qwSvHSThgQYAZo9mG4tO7BIgn1un3VIMP1fT4lpUM4mb0FvdKIujHT1ixi6gjmqjH3LXGawWRl/xdP33PCw7aI0WZ8cWT/51dXz4AE2XJb9MB1gNmI/veEK9HNo+r62FCKFQIfWO/3MSoONkV1hOwrG3IgAzB/dfwyC7V7GXag8oUOfO1DcqxnSwFbyKH7NFElcpn6MGo0unMBfOqoJMg1I8uwZG4939rRSTaqEaG+94HcGDUOICVWJr3iIoPoJqxTxHgXbosBCj72HL241mU85U5mpLrIPtPHGhK2Q/9w+s0aK5D1mvO5rhVMD/s+Ty6clJZLKY+DYPFP/cOfj1n6PhvloSNM3KdFW3aor6U8/UrhoOPAA65Yidq7cAKPLEBeKNx0WJOjqb6MIpm/3mKSXk7ztiP1+aqmGBMB/FIS55wb4PM9YFZQ8QV/BF1V2hySAcedQpbNmoMhWixBlKrQSbbEEB+Iid+smEoN0sxFh8PMcic9Ma+6/lSTwU158zkEtGSGXev+2nCK1syvfO1h1ZkG8Vs2uY09Q49Jp5ecqtsmNqA94YbxRtZeB7tdb0fKxxgu91g/VCkRuY1Hhg76dOiV4kbxaKZF8fXsUVBMSJMT8EM3KkX5BIXBXi1vgOvYJBTC0WVznHH+TNiQ9y4SLrEM/5IID3p+S9MUHBU3S6aANNj18gBMNWtEewjYM2Q9PdDDIGKJVh4a3qZ1b5QXvdA2LbqFelTsZljdNpxaaWuoEoc7ebvoSPX47HzAiYfDsaxcbxy/f3aVrWO2d0+UMvhSe1RAUGbyTlDKXEfiJqTTsIxKy8InpK0Kw49UxUAC1jBKGwv72EstvdxFTC+045ho+d60gzNm2vasTTbT2emdiah7z99ROoMMrEOEoLCi1+mGaOhLRWxuK+0Le5TOXDvBmwSGcFRr4mWb2XkbZ/xphjCTPrEysS2ChL+QGvSbHkmexMjebPGu5r3z4zdJk/6AvlFzAEUwjaBwrSlk0bzPET2vp3uu5Au5a3EK4Zvhc0BdYslVQSuBDfIIlwFCqeoPZ1VkC/ACWvGFDvu14ioWkUuE/AbFBq5/sAPZWp9FiraTNXeAETEnxmjexklD04TdwIaWkpF3KxlwbQCV27D6+oApFkWzXyusWvpDRuN+6Qaz6MnvZleVKqRAHGRijHdZ8RAezeO4oVOTn58fR5694rMaDn6iUF97CCn/sbC21kiqfUyUqwPZMZDYXUlwoJqgr4Fwmg8KeaL3oKeCSa6A==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR21MB4338.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D/5GqZhRbn1D4xOzW/cAnTpfA4yUJS+vWedCk9FDqpz7dj/7C+06EgCxV3nrlFrnHX9lFjvSbRb8dKnmp3zt1D4OrvVxkHRAZLJYcCBfAfZ5Rco3kik+isHCaHOmT0zZ6Wj6irG6/SsxBGv1fSf1ykGABNE1WOhQc3ZD1GDItuTegRQ8ArYGGUafvsoKTL9XuNy0kmT7ZG4Vd9yTjlMtZ0A6Yl088nCACZ+vlWCZZPeY2r2TWdpkjbxf7T2CShRYr1Tm8HfOeSA35Dggi1NExV2MC6QTo8KUWuXVJ3jG20p0NiiXb/yIW+pLGXY/eWmFIjZn+qx8b5GFpnBNonskl/chX2LIl+bbhN4SiIa6xh0LwMR1eotgqvkQX2duQKyivaf1CP2UjcPGGClT0JOTwT9AO0JdIB7U/VVxOHtdfey442nUrnt2q5q7t1PX72F/Uv15dox1XRTx/BXY8tlnUKqjBovk9kqco/g1DsnktdVd24WGa53SpaA17kqODYrJHqngPQAl616y/HEp2J/7kfzuHofhHzq9zogDfpAnP6Q9LCocNeutTdlAitOfJ4jpsKM3dFlFi50Bxt2g8edsADpJ2DaTVwZekneavnBT6aqwPelsbi+AS4CjWY+H8nU4Ney6o0MV9l/1h1DkMV0ZKQdubMMyHAyNYDimk4wmsRUwKYjf+tumGlC+vjAMn7Nw6ap6Mb0IZh3T3GWF3mdMQuJBKWL0b3lHlvsPEreCXa+K9oURoZdr8RdD5azRHTPaV2Nnn0oESVGWvHOTWPzGqQreRyYRk/0sAGA7rADDffemksxN84tIIxURJJHsVSGaWMQl+q2aK1C486p98iYQn7M1rDU2Uclqhp5M/PsKK7gjn3ObW6mwZyj4SHdRM3bUFdGlT2XBJUrhOE96xHPW4ddtZIc3zaHoXcqeqh2zLz2BE8TAOhZAUeXmZF/xyTU/Opmv5RiGIpyar+vnZIr7RmdF61SrICd9nynX0r1InLFN4eR+sq130XmpjvxQ27WhEA9Lbfcvrng3o71h5CQcfU3uMob3GWtk7PmIx2xmnNrSUYcUGNgYErt8f2WWjMwnJIcAFtkMNyV60w+bIOwck2Kd1yotJcAuVkFrLt7cp8G7TwKakZFcNPBWuRwH3FscnVVJ19hakAtj0izkUsHAa3UsE1gexdlKsI+WDRLGMz4BdG2oap5xPlRHIfjxmq9mtvRUXelTaOCPbnSk47MatuA4+vVxdNPCcBwkzm4pZxmuHkU1GwMJgimjIV/4QDf1U9ic01eNMw5Uav36mz4fydE4zQSFrl90hKR+MsD30vkcCNaxFgWwxkVTajLIh6lS+oqNLAUoDTXnnH7+NyIvE6xTJp1a0YRKue3akCmZO5snNENbq3Oasy/SPD8h4CMPBSK/lCWc+3Sit2HBW/SgpZ/qqunTJFbGdbZxuLrOSpzcaQCnssFfLREInD8vqD4PsBuokkNK/VFOZPKhQ/2SN9beH5pov4C15UownOtXsxbOB/SEkfkDvI6p08SvmITLbcpkWyU0vOQxmIDoQeSr7LGul4m2AbTKum77vLx9wElXRZ6D/ZE775j4mZaHWvvd
Content-Type: multipart/alternative; boundary="_000_LV8PR21MB43383D41D3EA5707B352C8FD8CBC2LV8PR21MB4338namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR21MB4338.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 973a38dc-c986-48a1-7fac-08dcb402fac6
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2024 21:26:46.9937 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ug/RL1FA0FI4Vmx4vVSghh22AjJoZ3DHK7bCX0n6u8fC3ph6oqgWv9RBFJbtcUvwy3/ainv8UxHZEbLJ9Xk27Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR21MB2078
Message-ID-Hash: I3LNDPFS3RYAEWYZZF4ACQ7432WW7OEA
X-Message-ID-Hash: I3LNDPFS3RYAEWYZZF4ACQ7432WW7OEA
X-MailFrom: Andrei.Popov@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: [EXTERNAL] Re: Re: Discussions on Trust Anchor Negotiation at IETF 120
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tAXoBvJMVV_LNnBOSm0JgnJOZDo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

  *   IMO the best place to start would be to try to build some consensus on which problems we want to solve (including whether existing approaches are sufficient) rather than on the details of specific proposals.
I strongly agree with this.

Cheers,

Andrei

From: Eric Rescorla <ekr@rtfm.com>
Sent: Saturday, August 3, 2024 8:18 AM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>; Salz, Rich <rsalz@akamai.com>; Dennis Jackson <ietf@dennis-jackson.uk>; TLS List <tls@ietf.org>
Subject: [EXTERNAL] Re: [TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120

I agree that an interim focused on this topic would be a good idea.

IMO the best place to start would be to try to build some consensus on which problems we want to solve (including whether existing approaches are sufficient) rather than on the details of specific proposals. Once we've done that, the WG will be better positioned to address those problems.

-Ekr


On Tue, Jul 30, 2024 at 12:47 PM Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org<mailto:40digicert.com@dmarc.ietf.org>> wrote:
I agree with this.

Also, the poll that was done at the TLS session is prone to being
misunderstood.

There was a poll about a preference between the two drafts, but the question
of
whether either of the drafts is necessary was skipped. I don't think it's fair
to do
a presumptive close on that unaddressed question.

Someone asked on the chat, something along the lines of "does anyone other
than
Chrome want this?"  So the question is out there and deserves an intelligent
answer.

I happen to be one of the people who perhaps does want something like this,
but
I want to have a full discussion on where we're going and why, instead of
prematurely
focusing on any particular draft or solution before we know what problem(s)
we're
trying to solve.

I realize Google has spilled a lot of electrons on these questions, and I
think everyone
deserves an appropriate amount of time to digest and think through the complex
issues
these drafts raise.

And I think and interim to focus on clarifying these important issues would be
helpful.

-Tim

> -----Original Message-----
> From: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>>
> Sent: Monday, July 29, 2024 1:49 PM
> To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>; Dennis Jackson
> <ietf=40dennis-jackson.uk@dmarc.ietf.org<mailto:40dennis-jackson.uk@dmarc.ietf.org>>; TLS List <tls@ietf.org<mailto:tls@ietf.org>>
> Subject: [TLS]Re: Discussions on Trust Anchor Negotiation at IETF 120
>
> I agree that an interim meeting would be useful. It seems unlikely that we
> will
> make much progress on the mailing list alone.
>
> Cheers,
>
> Andrei
>
> -----Original Message-----
> From: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>
> Sent: Monday, July 29, 2024 9:00 AM
> To: Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org<mailto:40dennis-jackson.uk@dmarc.ietf.org>>; TLS List
> <tls@ietf.org<mailto:tls@ietf.org>>
> Subject: [EXTERNAL] [TLS]Re: Discussions on Trust Anchor Negotiation at IETF
> 120
>
> >The Trust Anchor Identifiers draft was first published only 4 weeks
> >ago,  received less than 10 minutes of discussion in the meeting
>
> I strongly agree with this. Well, actually, everyone should be able to agree
> with this because it's two factual statements. :)
>
> I think the challenge of having an interim will be that one group will want
> to
> discuss the details of the proposal, while another group will want to
> discuss
> the details of the problem we are trying to solve. I hope the chairs will be
> able
> to make things explicit and keep the discussions on-topic.
>
> If the authors share Sophie's opinion, they could withdraw the Trust
> Expressions draft and just leave Trust Anchors as something to be discussed.
>
>
> _______________________________________________
> TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
> To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>
> _______________________________________________
> TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
> To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-leave@ietf.org<mailto:tls-leave@ietf.org>