IETF Logo Mail Archive

[TLS] Re: I-D Allow using serverAuth certificates for mutual TLS (mTLS) authentication in server-to-server usages - updates rfc5280 and rfc6066

Nico Williams <nico@cryptonector.com> Fri, 20 June 2025 03:04 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 20DCE3739D36 for <tls@mail2.ietf.org>; Thu, 19 Jun 2025 20:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cryptonector.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBPF65mW4HfB for <tls@mail2.ietf.org>; Thu, 19 Jun 2025 20:04:51 -0700 (PDT)
Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 883083739D31 for <tls@ietf.org>; Thu, 19 Jun 2025 20:04:51 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 73DFB8A59D0; Fri, 20 Jun 2025 03:04:50 +0000 (UTC)
Received: from pdx1-sub0-mail-a285.dreamhost.com (trex-green-0.trex.outbound.svc.cluster.local [100.96.51.46]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 14C568A3DFB; Fri, 20 Jun 2025 03:04:50 +0000 (UTC)
ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1750388690; a=rsa-sha256; cv=none; b=5E6rx/bD38qcQ/Ews+hKwWjcYSaBTc2DbeNt2R/Z4vgExzmMhvINvOGwDk/DNnkydM0fSk hPRxGIyDpjKLsd8jHWH8/YkFR6wsq+e2PKvxtup+zylk2zcyVcSqP7MTrXwqaP8MBX9Pt7 twvD4N1a2t2gAo2Uj9xp0aETIMKSjO4PN0UucYib9TPuipKTkwcsHkRouL5rm7vH7Leq+3 tw6JiS8hmjKjn+bzTSrZcuTT1xcmFmu+nwAi+ebnwYyAGBiUaymBpIGYU7hFaaZAOTSXlR YY0n3ehc1ekGsgkkIAOjgMkzcLa5bdXw9hT+fzC1TIajAaWrOo4FHs5VZSOHCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1750388690; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=82mmzAh31p9N+zpc7HTw+wPuT9g1Gi5moU88ud4sR5s=; b=pDwpFlP0Xt7aXOXbTIO6KvHkO0ecGWaqxgjySS8ees7NekyyZOEcEaVuYTTt52AexJ7Hgu Ksr+MEowpVHnnv/l8CiXggO6R7bbSel5jIC1flEnE5x6t1MrXkSTF+IiyJR/+2BiPNAya+ fXPz3iBwlgV7xw4r8MSZB7meoRWN6C6cW5LVatZbDlTURCP/oDKKxvuiNvlIfLF+/cANN/ 0H1abkpNQjFUFWFCgcz3XSJWbhKvE8OPsFdWLyewllB4tooIiJHAXLv8XD/cNbCmYgA0Ta arpOM1skdatKd1xcg3UnJHX8zR5TfCKNC7/ro4IDE/gmUp7s64kNbp4cCN7ZRQ==
ARC-Authentication-Results: i=1; rspamd-6597f9cdc7-pqms9; auth=pass smtp.auth=dreamhost smtp.mailfrom=nico@cryptonector.com
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Industry-Interest: 167476757d401f66_1750388690302_4265237116
X-MC-Loop-Signature: 1750388690302:4165469045
X-MC-Ingress-Time: 1750388690302
Received: from pdx1-sub0-mail-a285.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.96.51.46 (trex/7.0.3); Fri, 20 Jun 2025 03:04:50 +0000
Received: from ubby (syn-075-081-095-064.res.spectrum.com [75.81.95.64]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a285.dreamhost.com (Postfix) with ESMTPSA id 4bNj4x3lrZz73; Thu, 19 Jun 2025 20:04:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cryptonector.com; s=dreamhost; t=1750388689; bh=82mmzAh31p9N+zpc7HTw+wPuT9g1Gi5moU88ud4sR5s=; h=Date:From:To:Cc:Subject:Content-Type; b=Uj5Fh3ubxZDiMJ+D8clgEgdexBWjLNb1op8n9emy4HU+egqfEILXgq3Sz9CFTZWgM qaTHSG8qb8Z9bCagD3VGXecT6CEiOLOvJ1V86hFA+ofZtraoykMt+Wp7uAw39D3JPm FwB5RCDy2Gv/wj9I70yi3URVfcEcD+pnOyvrVLMo5wEt8DlcSCLGGUMJfMFA1tRBAY i3SepwiI0IHxhcbjdLNeKzD8SK9qtzvCU4vvPN4h0FcgIsDjJvIHb6RI4ABwbvbw6b 8XdUSdjSWBcOCgjyHqXUbj9n5rDGpjVSMWTC5ifvTZeqvAahZFbABjhcyFDIf+j7Nv 4QLKlGmp7L7Zg==
Date: Thu, 19 Jun 2025 22:04:47 -0500
From: Nico Williams <nico@cryptonector.com>
To: Filippo Valsorda <filippo@ml.filippo.io>
Message-ID: <aFTPz0I/pRtAkeu/@ubby>
References: <45jp5tle7ixk7xhc57j5extnhg772nhhguqp4arvuppjuotkdo@jq5vd74bdpbg> <CAF8qwaAj8rYkRWatDuxmBQ+TQu7Yw1GPNm-Jf+W1CT0j18nwBg@mail.gmail.com> <aFOipMpzLkQa1Aaa@chardros.imrryr.org> <ed038d80-59e3-4a22-bf1c-f14968e0441b@app.fastmail.com> <aFPBwrrRNAPsOeZJ@chardros.imrryr.org> <2cfea147-5948-4027-9be5-aefb90f07f56@app.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2cfea147-5948-4027-9be5-aefb90f07f56@app.fastmail.com>
Message-ID-Hash: 3YWSASHXODIWQWCURSXWY5VS4AKPB43Q
X-Message-ID-Hash: 3YWSASHXODIWQWCURSXWY5VS4AKPB43Q
X-MailFrom: nico@cryptonector.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: I-D Allow using serverAuth certificates for mutual TLS (mTLS) authentication in server-to-server usages - updates rfc5280 and rfc6066
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pe9A52wQJDSobsohiUfCqQIfqjM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Thu, Jun 19, 2025 at 11:51:54AM +0200, Filippo Valsorda wrote:
> 2025-06-19 09:52 GMT+02:00 Viktor Dukhovni <ietf-dane@dukhovni.org>:
> > One might, for example, instead dedicate to this end
> > intermediate issuer CAs having a serverAuth EKU, that will in many (be
> > they for now ad hoc, rather than RFC5280-blessed) TLS stacks be
> > intepreted as restricting any issued EE certificates to that EKU
> > (implicit or explicit).
> 
> If making a serverAuth intermediate is acceptable, then it sounds like
> there is no issue here: just self-sign it and submit that to the
> Chrome Root Program. The policy doesn't say anything about the parents
> of the roots. (That would be indeed outrageous!)

I'm guessing the rationale for Google's change is to protect apps that
support client certificates poorly (usually the norm) that

 - use WebPKI trust anchors by default just because

 - support no naming constraints whatsoever

 - use certificate subject distinguished names (typically only the CN
   attribute)

 - maybe support rfc822Name SANs

from accepting certificates issued by WebPKI CAs that they really should
not.

However, I would think that apps that support client certificates only
with dNSName SANs should be able to continue to work with WebPKI _if_
that's what they were already doing.  Are there any such?  It sounds
from this thread like "yes", there are.

Does Google's change break previously-working use cases?

I think perhaps what is desired is a policy that WebPKI root CAs (the
ones in browsers' default trust anchors) should only issue intermediate
CA certificates that only issue certificates with:

 - empty DN

 - dNSName SANs

 - no other SANs of any other kind

Then allowing clientAuth would be well enough, I suppose.

Nico
--

v2.32.0 | Report a Bug | By Email | System Status