Re: [TLS] [EXTERNAL] Re: WG Adoption for TLS Trust Expressions

2024-04-29 Thread Eric Rescorla
Hi folks, I haven't yet formed an opinion on this document yet, but I did want to observe that calls for adoption are issued by the chairs, not by individual participants. Of course, anyone can start a thread and comments in this thread are information for the chairs, but if adoption does happen,

Re: [TLS] [EXTERNAL] Re: WG Adoption for TLS Trust Expressions

2024-04-29 Thread Devon O'Brien
Hi Ekr, Thanks for calling attention to the wg draft adoption process; we didn't intend to issue a formal call (as that's reserved for wg chairs) and hopefully didn't cause too much confusion to that effect. While we're waiting to hear from the chairs whether they want to move this draft into cand

Re: [TLS] WG Adoption for TLS Trust Expressions

2024-04-29 Thread Dennis Jackson
When this work was presented at IETF 118 in November, several participants (including myself, Stephen Farrell and Nicola Tuveri) came to the mic to highlight that this draft's mechanism comes with a serious potential for abuse by governments (meeting minutes

Re: [TLS] WG Adoption for TLS Trust Expressions

2024-04-29 Thread S Moonesamy
Hi Dennis, At 04:20 PM 29-04-2024, Dennis Jackson wrote: Thankfully these efforts have largely failed because these national CAs have no legitimate adoption or use cases. Very few website operators would voluntarily use certificates from a national root CA when it means shutting out the rest of

Re: [TLS] WG Adoption for TLS Trust Expressions

2024-04-29 Thread Dennis Jackson
Thanks , I am

[TLS] I-D Action: draft-ietf-tls-keylogfile-02.txt

2024-04-29 Thread internet-drafts
Internet-Draft draft-ietf-tls-keylogfile-02.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF. Title: The SSLKEYLOGFILE Format for TLS Author: Martin Thomson Name:draft-ietf-tls-keylogfile-02.txt Pages: 11 Dates: 2024-04-29 Abst

Re: [TLS] WG Adoption for TLS Trust Expressions

2024-04-29 Thread Brendan McMillion
Hi Dennis Admittedly, I'm not understanding how this extension enables government coercion. It seems like, with or without this extension, the path is still the same: you'd need to force a browser to ship with a government-issued CA installed. Nothing about this makes that easier. It /is/ somewhat