IETF Logo Mail Archive

[TLS]Re: WG Adoption for TLS Trust Expressions

Dennis Jackson <ietf@dennis-jackson.uk> Tue, 21 May 2024 21:57 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE8CC1CAF59 for <tls@ietfa.amsl.com>; Tue, 21 May 2024 14:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJeY2rgzqICP for <tls@ietfa.amsl.com>; Tue, 21 May 2024 14:56:55 -0700 (PDT)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050:0:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DEC0C1D4C4A for <tls@ietf.org>; Tue, 21 May 2024 14:56:53 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4VkSvN6LFtz9sNf for <tls@ietf.org>; Tue, 21 May 2024 23:56:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1716328608; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6IeHO0fTFmJQOK2Qf+XGt2odpmGsHX5WE95DE9N/dG8=; b=XYIrhB4+95s5nR5enwOeFMVwSbjaTDKsfklTt4otivuFZSshh8hjPoCM+cK5geZGNfWkm1 0LgdP0wgOaGhuNk6rcBFyAZOexFf132sXALM/+JvEjOPsf5zSo4jGWnPcnYMgCL5d27GZA hQb+1zqSjr+aCPW8vN4omE57vbZtxljLlmztA/LPfkx4ToBPf/VPCtcLiZFmh84VPy3SFY MfdqhHtr7TW3a7D5v36jFGXH2m37XLEKZdWI0VBb3ppEXdGtNJOCCZC7hOjbRk8hk5VcEY DoLqKF/09R9A9pU2F9tSkPMNfySqqDl+VCF/T3aQaaoMZKLJ1TKRW9pV1Kj7Kw==
Content-Type: multipart/alternative; boundary="------------0pweKuQpTRWU2WVfJpEjfRot"
Message-ID: <21081210-1abf-447f-a113-2b5eb176e0e4@dennis-jackson.uk>
Date: Tue, 21 May 2024 22:56:47 +0100
MIME-Version: 1.0
To: tls@ietf.org
References: <CAD2nvsQafns7PB72uV2CBgrt1N+f3YK6p_=EO-A_Bs-mb9=g1Q@mail.gmail.com> <91123dd3-7a24-4474-9649-84b78120ea81@dennis-jackson.uk> <CAF8qwaBLvsnY01fm1Uby2U9OQ2koR_8HnRLeNbE4ZQjvX2a4EA@mail.gmail.com> <450344cc-5e1d-4d71-8984-a3c651eae604@dennis-jackson.uk> <CAF8qwaAuHfvfwSnL+xNxFicbL02hwjV=pRybBTfK3c-ULxPrWg@mail.gmail.com> <CAF8qwaCXy=nPex08_xSdm4mAdDFxf5xE=PULzsbSpvxMvy1CcQ@mail.gmail.com> <398b9992-83ca-488b-a8b4-85936c3467a8@dennis-jackson.uk> <CACcvr=kE_fGmgTYAK+jz7iHGdmczMCe9-+_S-otk6GcKmDRuTQ@mail.gmail.com>
Content-Language: en-GB
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <CACcvr=kE_fGmgTYAK+jz7iHGdmczMCe9-+_S-otk6GcKmDRuTQ@mail.gmail.com>
Message-ID-Hash: 35RPNMVYJP2D2QYASFWRE57PFLHJP7Z4
X-Message-ID-Hash: 35RPNMVYJP2D2QYASFWRE57PFLHJP7Z4
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: WG Adoption for TLS Trust Expressions
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Nick,

On 21/05/2024 19:05, Nick Harper wrote:
> [...]
>
> Perhaps there are additional ways to use Trust Expressions to censor 
> the web that are more practical and more useful than the existing 
> techniques that I didn't consider. There are most certainly other 
> forms of domestic control of the Web that I didn't consider. From my 
> analysis, if I were a government looking to enable surveillance and 
> domestic control of the Web, I don't see Trust Expressions as 
> something that unlocks new options or makes existing techniques 
> easier/more reliable. It is at most something to keep in mind as 
> technology evolves. Maybe I'm not very imaginative, and you've 
> imagined much more interesting ways a government might surveil the web 
> or attempt to control it using Trust Expressions.
>
This thread is now 40+ messages deep and I guess you might have not seen 
much of the previous discussion. I actually agree with much of your 
analysis, but it focused on the wrong question, as I wrote earlier in 
this thread:

> The question we're evaluating is NOT "If we were in a very unhappy 
> world where governments controlled root certificates on client devices 
> and used them for mass surveillance, does Trust Expressions make 
> things worse?" Although Watson observed that the answer to this is at 
> least 'somewhat', I agree such a world is already maxed at 10/10 on 
> the bad worlds to live in scale and so it's not by itself a major 
> problem in my view.
>
> The actual concern is: to what extent do Trust Expressions increase 
> the probability that we end up in this unhappy world of government CAs 
> used for mass surveillance?

On 21/05/2024 19:05, Nick Harper wrote:

> I'd be interested to hear details on what those are.
Messages [1,2,3,4] of this thread lay out these details at length.

Besides these concerns which are unaddressed so far, much of the recent 
discussion has focused on establishing what problem(s) Trust Expressions 
actually solves and how effective a solution it actually is.

Looking forward to your thoughts on either or both aspects.

Best,
Dennis

[1] https://mailarchive.ietf.org/arch/msg/tls/LaUJRHnEJds2Yfc-t-wgzkajXec/

[2] https://mailarchive.ietf.org/arch/msg/tls/zwPvDn9PkD5x9Yw1qul0QV4LoD8/

[3] https://mailarchive.ietf.org/arch/msg/tls/9AyqlbxiG7BUYP0UD37253MeK6s/

[4] https://mailarchive.ietf.org/arch/msg/tls/fxM4zkSn0b8zOs59xlH6uy8P7cE/

>
> _______________________________________________
> TLS mailing list --tls@ietf.org
> To unsubscribe send an email totls-leave@ietf.org

v2.30.2 | Report a Bug | By Email | System Status