[TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
John Mattsson <john.mattsson@ericsson.com> Tue, 10 September 2024 07:16 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B055CC14F6EA; Tue, 10 Sep 2024 00:16:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.256
X-Spam-Level:
X-Spam-Status: No, score=-2.256 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UhIV0otdtnXQ; Tue, 10 Sep 2024 00:16:19 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2050.outbound.protection.outlook.com [40.107.21.50]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45305C151548; Tue, 10 Sep 2024 00:16:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cpuKm+EFBCkKLrEsmp60TKzByVXmNoxIZdqS3Fh4NO/BWX8p82xO+xliZQ5xl9UW5Z1TX1ozXt1JWqAv33hShFMjB0+KnO4d7s1GGw1a1kdpivXAUDzJYBjzl4qPGTeSS2i/Pg9Vy17B4GCca0fWKnj+hM74FFsdl4rn4xNF4ruSWA/TN6JFhrw7FfW2zdKn3EmdIp2VAcPhD/SEQoz8QwJq2U4BtJ+24hl8mq7QBeXgOweq1m8aNDy6nNcLwMx/+7k0m2JO2MvEi+s+NdHY3TDS26My5+ie8RlnpyB1jrSCdSAyVPwt8MfL3CtTOnSISTgX85opeHw8PgXQTg5/vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5WyWK/aeT6ui+wdkbMiEvU6h9t0negYgBuqVEtJvg9o=; b=DLV/rsULNlB7Sf4Gep1BU/mAPg/ATpgxPuf3c1MRZMR/JafTIa7GfMVZd6LV3lKuEefwldfz9yy7IamF6Mbm/bIeNolN2cyWfdDM4rRfHivMAWNNTgx0AyC5oIN1v5LycJ7sYLq7B391DuyB4inDDET8S1id1/SFyUva7R6kSVSR5r5LeB3NQkZgby7Fz2RnqPVIs1luK+7ZJ87kldH2/DBgTaEef/H0OKlKoAVKKKBcv8NGMvwOo81xJWFIR8G82xpCbvbL+UVWygS/6XLSy/ZojBKlgNqBMvotEJ5r41gAyxXIwBgYWyEp5RbAL7zxj65HnSpbfkmBWSnhco13Lw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5WyWK/aeT6ui+wdkbMiEvU6h9t0negYgBuqVEtJvg9o=; b=lrDaCSMNDffcRTiEK1ZVV4Zn7aGqUgHr/7mongNXupSwlNWEokoakXxM+HgFEBIdhkIVKkhAaPoBIW1hcdmT+1lCZIZQhYfTfHw4iWBDbDDZfqYgIcbJuAv8I3QEOD2O6pvYTfRlbzM8HvR3AGxIpspdI6Z9zBJVIS2/HlJYtCCohXKels9MTLXZAFyPtl5QN+05XisNMo0QzRs0E3Ct4Tskz168SQkEQt018pq8irAjc4OF65O2duTVR0pPw21bC+yNhzfSHsjchb1Ow2ZUpR+dfaDhDuyWZwVANCciij/kYtMfynQFJMrLGDNuMeLMVFpvR7wmn7aNQQHUPtEYQA==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB9667.eurprd07.prod.outlook.com (2603:10a6:10:4f0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.24; Tue, 10 Sep 2024 07:16:15 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%4]) with mapi id 15.20.7939.022; Tue, 10 Sep 2024 07:16:15 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Mark Robinson <mark@markrobinson.io>, "tls@ietf.org" <tls@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
Thread-Index: AQHbAvca32sJgFryjkO/ndmuesfKrLJQmUQz
Date: Tue, 10 Sep 2024 07:16:15 +0000
Message-ID: <GVXPR07MB9678C0193D148ABBEA7FAD4B899A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <CAHaGKyeSBGD4AAbnddiWtG7kEvh3Y6mbTyAgw485UfJZhFKXkw@mail.gmail.com> <02100E15-44A3-41FF-B81C-B81FCC94AAE7@akamai.com>
In-Reply-To: <02100E15-44A3-41FF-B81C-B81FCC94AAE7@akamai.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB9667:EE_
x-ms-office365-filtering-correlation-id: bf3d85db-09d5-4c19-1399-08dcd168757a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: euLnr0hqsRbUDSvJsDzuCX2z2C9q+ObNsQj9REhjNoeKQM1LrHa2GT1Pn2aZKYmemwgJeSK76I1U2i382C1Keb0jCASEEHYi0zvijAVf+Wq+ECAKONTK4UBmRmLy/aws6Zlkr/E3ZE+XYJ47jYCufFTD9E2jXfyh+5LLFY2EjLUAABeryJFRP7mN2UkX0tFKXsBHrNLPuBu5i9TYMtOzHDyQ32OstZyuLqkzcelKn7oU+FW29DZIrltQHeAEAKuJYfyN2i+ejXSzHwtFPeEE808/I0XBMJT7YYVaJW03q24891xw9LhrooO1YWhNxiwTdWB0oINH9WBq6MJb/KDlfzhHYudBa/k48tplie0wrqNmENGHsYy2acxLoPz4E0IewLK73bP6J37kBC9InUbLDiBPIEns4Hvgl9muDNyNbE8xvo5iU+cpq3fHsbpK++QvEI/pUicgwIXPvpCJ9ibAWWXaxGuxK6tgvZRHAbEQ0TKJbv92tcuFIAm4H1ElZ3G/nJ9W/cnb68GcA6UIIhhYq9J7Ns+w8kOdAVQPorq9iCyCyHv4p+bzSA/Ku2yKaWZbYQSyg3Y3fCSR+hULCGDhiclLyvwJpZMwC4MUktyjZKKAR3/mHxJQrqFoR2ITn35DRDhQ1bin9xSbT0YVnfZZYKzhDq6KL6nfmXahO48seHWaZaaiudopG/9yc1pfJ24dhL1DO3ER3NAF+/Md5/kPwTS1o0kzQxA1OV+8Jc2rXWR+vaugt2JO1j8KJrp+BePp7RbYBqvt04gNY7fyP4OcRZJTidIzHgnnGbifrdsTUTxBY9zWGgtrLPH/2nwbZ7NW6c1tvmH0sFHHSK6l2FZ4HrGjFjiGAFLQt/6PQ1MrqF3bieDjcNGAsnri0ehzMHIE6lrmykrxEBrTiTLi4XA4s52z4fgobS9IkKLo2H5Rs4AjTpMgg+piw9+7EPqy3VELdtqRVKWwjOfoGFr3FEY3Y3W/iUL3LgFKn9kwcTJGnVNQwgU72jzOlyRfnLKPIrQxPL9Ys6Bp4PX6RAzT3xAVN4wGYdqOikFb2IpWipzcRtibURHjS1DfMb4iBVWTEl8P7i7iai63j1TspP/qZn1k9jHfxdq12CMe4gwgyum16cw3yUBbob4r/uzCGtDlfCxnpV5h7fawo/Pb6T/6V2q5AdCXx/0CfdViV89mmuprr0/5J0SAUmcStyuJU1IFvpE9OsK6/+uLJEzUBB2exjdi6+/j7WrgcYwEIwXg8WCjyXnCJVI1jZPlIn3E7i6X6w83u6nEjxJnkgQsln1M9LTPerZ5iruEpKuZSkH52U5Gy+TovbfoLnpRejT5g5spsQwTyrfPi/kse1iLykAIcyvba9qxyZ0uDQF0/6qWSYq8fiWd3mGShprBKQt7TL+MRDqjNtL6W4jrP/QT9SC9r3dGAw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: G3H6gQQIza6LS+NCW7xgxHfOiqPnySQqEHhXqpmZlwGvpRWqQKZpDWqQ27WHOwR85P1wBRlIOsFk9d/hKz7ZsYLRsqv/PbANE02fOtPEYOfOpQFwQhgPhqiO6vc/1RqOseiUANtKw3mQyk53C3e+1FnqYO+WP4ZlOeCbyOn93i+M0mBf01txuqwnjP2razqyAO2kBcK1KmQzccVTqXPFbBcVcrdeVHXS+54X2vzZ14k3eiHIc0BREva7a8TSe0rESR4HgKEvStpXQDK4quql3ZCUr8BLN7nkE1nlJ57ZBZLMdVS0Di3zvqnX4MXNWbUUxeWE8WxcTL37DuH6KPGzKEX8svG3gtpy+EUF9phFEjcV7JebfODx28hf0NqjL4Enjs+F20Gq+qiAbywykVNtKvHzJwWsWSaEOtorKowgQ17vtfc9LyxSk7q0wct7yfbWAGyCjVIf1vleibwOMLgnKhAEl+Vz73nujAxGdD9cd0Z6PaA3HX0z3d/R2ejtpQweg4TksZbLFByFwC95k1gbgK8YMs8tt7qVP1PrIznFYG8tTJQR/Kn/5ZcEx6JhXi4I2aTvWqwXWvSE8rKWSXw77UOQcKdEx06Egtt3eFUXAbt+rR4Ue9Hiq4i0JvpjiGPfGsR71/PUWlZ8Pb1f4GmTNQ/N/NXGLvEo4Sv4aopiIRokuKS5II2yLEmMeWQuwxQ1DyyslOSbbe+MOV43Yt51qkBfNW0MJtoF0Fmk/cppcFXpOt+feNL26FYQXwWEMVcCOXpe29mPJEz1q+OB9HESU/ExJ2Fvc7kiu1KfixzlWWWCmlpPNrMJk9uod/y6wgSsIH6LUYTrJ2WpXdB+ukVdcSnxjTQuSO1eLjc/6ETn8eHZOMAPygatT2wUbEwZSp1lu9SJ32u0Tey6ebeyHHSdoaderv9LFbH5i4iGyBe1OH2mEUTs9I1t6wVtd8Cuk7s7lM6wRdwje82c1cPNjJ9mPlkOW2lAw4tnbUyT47W5RERjJI7cXsQallydA+U+GebUSYUBsnO1GDijf04AdYtpssPDLjoHkKIzGsofGnF2utDx/GwKPc/a4kpInasj/B9VZqgZKvbKc7awciT+DxW0qBHECdnG9IBCDtsriLhgK2zDoNEhnFmDdPRX1ulUyHqXmhltODAYeKMx3B9J0bMgA/03CCiOGavbFt8L+4MM6tQj3ypf75ZdovMue5lA7NbC0JNVeNzC+IHzSpFBU1NjJaAuosMtqsf1d4d9IVfOfstHiN7OToCZLNaaJRgJYT/qIfdj5gDbMpAbNyIyc/xUZtxAZ+hJ1eBRZjoF6Qt2bcs+Sv+MYpURu+4/yPTABxgdl4EXUSIbW2t4MZAzWYcWRR/fZFs1FDFt/idtIKp643PbHDBzlvSUvy4gl06nBylW8NYcxzpZE7v2n10+FaEY14qMcmqGbKJn+pjxxKj94WUvlD3lOz8n/Bb8V0asGfozzcjO1p6GrnodnS0U3PqgNdIws0JqHbF/v3HpsgGWgiGOLTW25ufHveW5ZCFt4pFYMb5Ox53dDwyQpxSx3EkWnJOYH3OjfWZhcMO8GErv6jqPb/pVd5AN/m4q4iFp0ukDu9aTGDikf+IFvhNnL0ya5d68BJhGMcjHU0RSvoUCHso=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678C0193D148ABBEA7FAD4B899A2GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bf3d85db-09d5-4c19-1399-08dcd168757a
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2024 07:16:15.7244 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rHXPuDujigutbpcANIzHDxHlwyvmoxozmiaQ25Im5X7/uND7Y+OIt6juitq5ruEG9dS1g6hQFWjXrORQcZ3nq7/HvNaMNXagcD2NAgDSxq8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB9667
Message-ID-Hash: TA3RG4N5WPTSUWQO6SU4JNJJVHPE25Y4
X-Message-ID-Hash: TA3RG4N5WPTSUWQO6SU4JNJJVHPE25Y4
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS?
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/v3i3UqTUDlse2WpXpnWv8C_Ogzs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
I would be very supportive of such approach. I think the scope should cover mTLS in general, not just cross-organization. The term mTLS is not even defined in IETF, in fact the TLS WG has previously used mTLS for at two other things. It would be good to a document to refer to for implementation requirements. A lot of tls implementations are not at all suitable for mTLS. I have seen a lot of cases where people assume that any product supporting TLS will be suitable for mTLS. But often they are very limited and don’t support client certs, don’t support revocation, don’t support extracting certificates from the handshake, etc…. I think it would also be very good to have a mTLS RFC when TLS 1.4 is done sometime in the future. TLS 1.3 removed a lot of functionality that was important to a lot of mTLS deployements like a forth handshake message, ephemeral ECDHE during a connection, reauthentication, and moved external psk identifiers to a message where there is no identity protection. It is not the TLS WGs fault if nobody was there to argue for the need of these things, but it would be good with a document documenting these things in the future. Note that mTLS deployments are very different and might require different things. Cheers, John From: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> Date: Monday, 9 September 2024 at 22:30 To: Mark Robinson <mark@markrobinson.io>, tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS? Would it be appropriate to write an RFC on how to make cross-organization mTLS work reliably and at scale? Would this group/mailing list be the right people to work with to make that happen? You should also ask the UTA working group if they are interested.
- [TLS] Is there any interest in an RFC on how to d… Mark Robinson
- [TLS] Re: Is there any interest in an RFC on how … Salz, Rich
- [TLS] Re: Is there any interest in an RFC on how … John Mattsson
- [TLS] Re: Is there any interest in an RFC on how … Olle E. Johansson
- [TLS] Re: Is there any interest in an RFC on how … Iyer, Sudha E
- [TLS] Re: Is there any interest in an RFC on how … Sean Turner
- [TLS] Re: Is there any interest in an RFC on how … Richard Barnes
- [TLS] Re: Is there any interest in an RFC on how … Joseph Salowey
- [TLS] Re: Is there any interest in an RFC on how … Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Andrei Popov
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Peter Gutmann
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mark Robinson
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Viktor Dukhovni
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Richard Barnes
- [TLS] Re: [EXTERNAL] Re: Is there any interest in… Mike Shaver