[TLS] Re: I-D Allow using serverAuth certificates for mutual TLS (mTLS) authentication in server-to-server usages - updates rfc5280 and rfc6066
Benjamin Kaduk <bkaduk@akamai.com> Wed, 18 June 2025 21:41 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7541D36A12F0 for <tls@mail2.ietf.org>; Wed, 18 Jun 2025 14:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNGxkcUPpg0G for <tls@mail2.ietf.org>; Wed, 18 Jun 2025 14:41:14 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [67.231.157.127]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1F8CB36A12EB for <tls@ietf.org>; Wed, 18 Jun 2025 14:41:11 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 55IApRom016488; Wed, 18 Jun 2025 22:40:08 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=jan2016.eng; bh=grdaLOYWbseIMJgzH0/ZHc neMikrs/ga0k08Gyah8rA=; b=X7bPmA2+80qbYlnTamTlWX2LGWeqPFL889SsQB rdJdnfOE+40QzGOWjTC60/zSms5YLJpe6CJutl4r0Ophjw1pkF+RXb2NjQ5o0Iy2 Niua+WueBfvRMgJzLup3AvqG6VMMhMju3j1XJgKCuDF0ZkT/CVHxx8SW9q2k8goE 6mZUhahPnqOM+MBdNixfuUgrwNv4/2LKP9v5KQmfY5ixdimXvU8jJgHrkvG3n960 /IpreNWyx2sNwRTef1y0CpgvJcZxYmjvX+u+S8wQihdjuLn52GYGEc3Ypv1tq+3S KKnnUoc7qqZ8nGPfad0EVRatJeA8PxfAgIaozTeQ3md9U0dg==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 4791m5effy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 18 Jun 2025 22:40:08 +0100 (BST)
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.18.1.2/8.18.1.2) with ESMTP id 55IKdRka014233; Wed, 18 Jun 2025 17:40:07 -0400
Received: from email.msg.corp.akamai.com ([172.27.50.202]) by prod-mail-ppoint6.akamai.com (PPS) with ESMTPS id 47bt18u8vs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 18 Jun 2025 17:40:07 -0400
Received: from ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) by ustx2ex-dag4mb3.msg.corp.akamai.com (172.27.50.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Wed, 18 Jun 2025 14:40:06 -0700
Received: from akamai.com (172.27.164.43) by ustx2ex-dag4mb4.msg.corp.akamai.com (172.27.50.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10 via Frontend Transport; Wed, 18 Jun 2025 14:40:05 -0700
Date: Wed, 18 Jun 2025 14:40:03 -0700
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Klaus Frank <draft-frank-mtls-via-serverauth-extension@frank.fyi>
Message-ID: <aFMyM5ZIpjllDyD/@akamai.com>
References: <aFGSaasuDJ3iuG5j@chardros.imrryr.org> <wknlqq6mkz7kospdybnryxm6njweezjssy37lzfjntzagnonur@f77plezj3k7c>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <wknlqq6mkz7kospdybnryxm6njweezjssy37lzfjntzagnonur@f77plezj3k7c>
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_06,2025-06-18_03,2025-03-28_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 mlxscore=0 adultscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2505160000 definitions=main-2506180185
X-Authority-Analysis: v=2.4 cv=cZ3SrmDM c=1 sm=1 tr=0 ts=68533238 cx=c_pps a=WPLAOKU3JHlOa4eSsQmUFQ==:117 a=WPLAOKU3JHlOa4eSsQmUFQ==:17 a=kj9zAlcOel0A:10 a=6IFa9wvqVegA:10 a=D06pMWHSg6xvBtCDAxIA:9 a=CjuIK1q_8ugA:10
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNjE4MDE4NSBTYWx0ZWRfX8XP11bZ11Y8r Vu4cdliR3t4b3J/e/Ks+PajcUhwgHdDptY9KyQk7ACGinYZybbLNnebET1cwTOQWrM4eC4+hCHf gdVrV0fillgzmbRodTkQz30e4G/Ps17rIO1DS53rOihblj7zXGN8/OSkA/8yErImZ5+ekm2n2yQ PTX7SQN9nE9wnaQL1tp8z6wytf21Ybcg8/ldbqtDlqgRTGEi2W6YxqSNs+MeTZSmDIh9X4XTLKP YS1MPtXPaN0ZyC5Y7rXvcWdV7CpbEtampWiV7GIRGFuWwQZC2skRLzt7LqANhlUjuveZ7zeeKRx Zy9GqT1mY0m1TToUosBtz/ZJ0CpSkTH7UWwZFyQq5I3ct3YvPufIONtyLYRMfdVajYEW3wvC8dY Kpcfi7bLBXtkh1+54nu4633Wsh1qncyyKQSE7CEHG/6Yh/xMWuqBI/WQzOBKoeBC9Sk8GJLn
X-Proofpoint-GUID: hcx8aP9wgeBzTBxebSbAl6_pghR4YZVs
X-Proofpoint-ORIG-GUID: hcx8aP9wgeBzTBxebSbAl6_pghR4YZVs
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-06-18_06,2025-06-18_03,2025-03-28_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 malwarescore=0 phishscore=0 spamscore=0 clxscore=1011 adultscore=0 bulkscore=0 suspectscore=0 lowpriorityscore=0 mlxlogscore=940 priorityscore=1501 mlxscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2505280000 definitions=main-2506180185
Message-ID-Hash: PY5YCI3OQEXU3BDKHHXUIM7HVIGG3KSK
X-Message-ID-Hash: PY5YCI3OQEXU3BDKHHXUIM7HVIGG3KSK
X-MailFrom: bkaduk@akamai.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: I-D Allow using serverAuth certificates for mutual TLS (mTLS) authentication in server-to-server usages - updates rfc5280 and rfc6066
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oZZSVgnHL40j2M3sDF203oJHRgQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Wed, Jun 18, 2025 at 09:19:09PM +0000, Klaus Frank wrote:
>
> (resent without breaking the thread)
>
> It also was already tried to make Google reconsider. But to no avail.
> Basically they don't care about the practical issues and at most say
> "just roll your own PKI" as everyone apparently should just stop using
> the Web-PKI for other services entirely. Well only issue is that there
I think that's an exaggeration of the actual reality ("everyone should
just stop using the Web PKI for other services entirely").
While we should not be surprised that the Web PKI is being managed for
the benefit of the Web ecosystem with only minimal consideration toward
other ecosystems, the very nature of the Web as decentralized, open,
and with server authentication fundamentally chaining toward effective
control of DNS names implies that quite a lot of non-Web services will
continue to be able to shoehorn their needs into something compatible
with the Web model and thus continue to use the Web PKI. There is some
level of risk in doing this, though, since such non-Web usage is not
reflected by any primary stakeholders in the Web PKI management and thus
the PKI could evolve out from under such usage (which feels like what
we are seeing here).
> is basically no other PKI infrastructure to migrate towards. Especially
> none that can be assumed to be universally trusted. Call it lazyness or
> whatever but almost everyone relied upon the Web-PKI. Or does anyone
> know a single one that is e.g. trusted by all operating systems but not
> by web browsers that could be used here?
The other big open/distributed PKI that is widely trusted is the DNSSEC
KPI. It is, of course, managed primarily for the benefit of the DNS ecosystem,
but just like the Web PKI it can be leveraged by other consumers for various
purposes, e.g., via DANE as Viktor has already noted.
Given that it takes a pretty significant investment to develop the needed
policies to define the goals and operations of a PKI and provide secure
operation for the root key(s), it does not suprise me that very few
ecosystems have committed the resources to build their own PKI from scratch.
But a robust PKI is just not something to assume you can get for free.
-Ben
- [TLS] I-D Allow using serverAuth certificates for… Klaus Frank
- [TLS] Re: I-D Allow using serverAuth certificates… Viktor Dukhovni
- [TLS] Re: I-D Allow using serverAuth certificates… Salz, Rich
- [TLS] Re: I-D Allow using serverAuth certificates… Watson Ladd
- [TLS] Re: I-D Allow using serverAuth certificates… Klaus Frank
- [TLS] Re: I-D Allow using serverAuth certificates… Klaus Frank
- [TLS] Re: I-D Allow using serverAuth certificates… Benjamin Kaduk
- [TLS] Re: I-D Allow using serverAuth certificates… Klaus Frank
- [TLS] Re: I-D Allow using serverAuth certificates… Tim Hudson