[TLS] Re: Transparent TLS Client Auth (t2CA)
Shumon Huque <shuque@gmail.com> Wed, 21 May 2025 14:26 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 056092B3BAEF for <tls@mail2.ietf.org>; Wed, 21 May 2025 07:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgms2DV-RTtw for <tls@mail2.ietf.org>; Wed, 21 May 2025 07:26:09 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 55AD92B3BAE8 for <tls@ietf.org>; Wed, 21 May 2025 07:26:09 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-43d0618746bso55885795e9.2 for <tls@ietf.org>; Wed, 21 May 2025 07:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747837568; x=1748442368; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YzQoi4QOuedd2JoaQVnD0qgzd/xiMjhBYDwpVghwjAc=; b=VUm5f90UKD9fGg18KzQAqjxcmjzuX+Je9io4XxM18sDbKdorHjL3Q5i2b9ioyWg+M3 PA7jzeENy2ak79KusTuH0BY3UoYq27xFnJzUKLhmSN5AC+A+eqGbUrn4TXE7vif+t20i ZkXe56Ydn0sMFaPu5SabY6Imdjpo1BldP7+F6nmlrcuZ88z3ZCWadqUBBDFTLa6w+Cfd 1s1+SS9JwbsfWgldcEqKE0mHh2uFnx/mHzpHZV7UaVDVVyCo/sC8lToEIMkheV4WrJJJ x/RCvZvX3WJNY6g8flY6sWsNVhPi6YSPgA4GLwW4bSqDNg/GU5FB8ifUGyEqwfhdIpUy ZrIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747837568; x=1748442368; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YzQoi4QOuedd2JoaQVnD0qgzd/xiMjhBYDwpVghwjAc=; b=lja9T+mHGiK5TTYhrhA65ui3qnwKAiP/MQOyqTZsMfEmjzgzTwIQyASJVZG8aAuOpa ccwwFuH3fTKkZLKfrLhrgtueh8CD39qDcrCmqU1TM73vkC45NRp7eXUka2xbOagRwJtq Cs/K7O5w4TIQwlvs8mbd5dIgvS6qYu2kdJP3A8WTgk+NodV5ykHGju98NFesOXjBY6pj W9NrbkAScLz6Ekalk46xB8zH266lNRyrXIuJGNv02SPkbaH0PlMnM2JKWCU8uxVggl6H gPLF6pGsGe37Y0zrCIK+7Dl+4zUWiOb7/EkE46KYAEeDwmTtUbEkaiMKp7puJvZXAXtP 9ggQ==
X-Forwarded-Encrypted: i=1; AJvYcCUAIc4mC3uIu06P0Ggn/X6r60Ke2dQsNJVTR77iEI94AmuBrypwzEco+pCbx5wEHMZ8zpE=@ietf.org
X-Gm-Message-State: AOJu0Yw0+vzms5C0p/u3ShGqGKWC6JW/ZEK3Pan6zO6C6vgNTkdCEpzU kMAIvXvMQYzKK1zwlPjq2ACpk0t6lkPwXUmRXfpzYodJDqSchrP6yIXvKERpGopZBYJfETW/iaJ 9yQ/KOiXErBJzxeRdjjnvIll4kNY29sg=
X-Gm-Gg: ASbGncuCXhebQdgHXQ45mhlDT+nRDuYV205BIjcfEnes3rahYqJ4IpAMAzUQEvm2Z4o loterZy//4ebpZZHzXtVju9r8m+KUdgJAyN8k/TBZ6/zAFmF5p++tRZz0mUPZqaFT+1r6jIaL7l w50BXbKn0PjpY83IxkfBGrU84UrRv55a62Sqd3Eyzmnq8=
X-Google-Smtp-Source: AGHT+IFpLEzbhCTVJzxup9CL2hu0V37StWwwtnAoVdwqP4qQJuwNLBfuDD/CGJzRcPa+wN+cu1ig17AQFfmSIY7rZh8=
X-Received: by 2002:a05:6000:178e:b0:3a3:58f0:a38b with SMTP id ffacd0b85a97d-3a3600da0aamr16403835f8f.43.1747837568094; Wed, 21 May 2025 07:26:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwgUckd7M4J1wop9srwxaFkfenmibLJ1=-dJb-pfEkXxLg@mail.gmail.com> <SA1PR15MB43703CB15BF72D1F56FCDF5CB39EA@SA1PR15MB4370.namprd15.prod.outlook.com> <CAMm+Lwir2NhkUDgTTx7Nv+iHJGs+ox2tia8u5=W19P67jtsFvQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwir2NhkUDgTTx7Nv+iHJGs+ox2tia8u5=W19P67jtsFvQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 21 May 2025 10:25:57 -0400
X-Gm-Features: AX0GCFuTXih8I2tnC5JlCk7wGhSoMwB72kZnrnACl3jIrHMyyai866h0rMYep78
Message-ID: <CAHPuVdXRZ7qzUCh1SB0vpjbP7HLZYk7TSW6Z7_sfD6BJWStJ_w@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: multipart/alternative; boundary="0000000000005f17730635a62529"
Message-ID-Hash: UKWLN2FITEVNMPSA53FR7OWYAAWIWVNN
X-Message-ID-Hash: UKWLN2FITEVNMPSA53FR7OWYAAWIWVNN
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ben Schwartz <bemasc@meta.com>, tls <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Transparent TLS Client Auth (t2CA)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wW712Ib3H66lBdVbzShPged4jcw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Phillip,
Can you review the DANCE documents and see if they can satisfy your use
case?
https://datatracker.ietf.org/wg/dance/documents/
You could also start a thread on the DANCE wg mailing list.
At first glance, I can't see why the DANE TLS client auth protocol
described there could not accommodate Bluesky/AT protocol handles, but
perhaps you can do a deeper review. It might also be useful to describe the
use case in the DANCE architecture doc (which describes the set of other
use cases we had originally envisioned). This set of docs is currently in
working group last call.
Shumon.
On Wed, May 21, 2025 at 10:15 AM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:
> Thanks! I had forgotten about that spinning out. I was coming to this from
> the OAUTH frame and suddenly realized TLS client auth could be a better
> option.
>
> It certainly looks like DNS Handles makes that model look a lot clearer.
> The frame that we were given for Internet accounts is 'alice@example.com',
> the account being provided by an Internet service. OAUTH originally fit the
> same model only it is an account with an authentication service.
>
> @alice.example.com is a different frame in which Internet accounts are
> represented directly in the DNS. It is a model a lot of people have
> resisted but there are 35 million users already and growing.
>
>
> On Wed, May 21, 2025 at 8:57 AM Ben Schwartz <bemasc@meta.com> wrote:
>
>> This sounds a bit like draft-ietf-dance-client-auth.
>>
>> --Ben Schwartz
>> ------------------------------
>> *From:* Phillip Hallam-Baker <phill@hallambaker.com>
>> *Sent:* Tuesday, May 20, 2025 10:44 PM
>> *To:* tls <tls@ietf.org>
>> *Subject:* [TLS] Transparent TLS Client Auth (t2CA)
>>
>> I have floated parts of this scheme in OAUTH and DANE. As we all know,
>> TLS does Client auth in theory but the implementations are unusable for two
>> reasons: 1) Issue of client side certs is a pain 2) The user interface
>> asking the user to select
>> I have floated parts of this scheme in OAUTH and DANE.
>>
>> As we all know, TLS does Client auth in theory but the implementations
>> are unusable for two reasons:
>>
>> 1) Issue of client side certs is a pain
>> 2) The user interface asking the user to select a certificate.
>>
>> Both problems could potentially be addressed by the emerging DNS handles
>> infrastructure. At present, the authentication is OAUTH2 based. But TLS
>> Client Authentication under a certificate validated under the DNS handle
>> would be cleaner.
>>
>> So, I am looking for people interested in a side meeting in Madrid.
>>
>> Here is my current sketch:
>>
>> User gets handle from DNS Handle provider who (usually) also runs an
>> OAUTH2 service under the ATprotocol profile and a private CA for the user.
>>
>> The root of the private CA is bound to the DNS zone by a TXT or TLSA
>> record.
>>
>> Each device the user wants to use with their DNS handle gets issued its
>> own client cert.
>>
>> Users can have multiple personas and the browser selects the certificate
>> the user has assigned to the site asking for authentication.
>>
>>
>> Net is that the user gets to authenticate to any site (supporting T2CA)
>> under the DNS Handle and persona they have selected for their site without
>> any additional hassle.
>>
>>
>> _______________________________________________
> TLS mailing list -- tls@ietf.org
> To unsubscribe send an email to tls-leave@ietf.org
>
- [TLS] Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Ben Schwartz
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Shumon Huque
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Eric Rescorla
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Eric Rescorla
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Eric Rescorla
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker
- [TLS] Re: Transparent TLS Client Auth (t2CA) Eric Rescorla
- [TLS] Re: Transparent TLS Client Auth (t2CA) Phillip Hallam-Baker