Internet-Draft draft-davidben-tls-trust-expr-03.txt is now available. It is a
work item of the Transport Layer Security (TLS) WG of the IETF.
Title: TLS Trust Expressions
Authors: David Benjamin
Devon O'Brien
Bob Beck
Name:draft-davidben-tls-trust-expr-03.txt
On 23/05/2024 17:41, David Benjamin wrote:
On Thu, May 23, 2024 at 11:09 AM Dennis Jackson
wrote
This is something that I believe David Benjamin and the other
draft authors, and I all agree on. You and Nick seem to have
misunderstood either the argument or the draft.
David Be
Hi Ryan,
On 23/05/2024 19:01, Ryan Hurst wrote:
Regarding the concern about government-mandated adoption of root
certificates, I also care deeply about this issue. This is why I am
disappointed by the one-sided nature of the conversation. I see no
mechanism in this proposal that bypasses opera
On Thu, May 23, 2024 at 4:14 AM Dennis Jackson wrote:
> Hi Nick,
>
> I think the issues around risk have a great deal of nuance that you're not
> appreciating, but which I've tried to lay out below. I appreciate that
> rational reasonable people can absolutely disagree on how they weigh up
> thes
On Fri, May 24, 2024 at 10:14 AM Dennis Jackson wrote:
> Hi David,
>
> The certification chains issued to the server by the CA comes tagged with
> a list of trust stores its included in. The named trust stores are
> completely opaque to the server. These chains and names may not be trusted
> by a
On Fri, May 24, 2024 at 06:14:00PM +0100, Dennis Jackson wrote:
>
> Trust Expressions, though intended to solve completely different problems,
> will accidentally eradicate both of these advantages. Firstly, it provides a
> nice on ramp for a new domestic trust store, mostly through the negotiatio
On Fri, May 24, 2024 at 2:16 PM Nick Harper wrote:
>
> On Fri, May 24, 2024 at 10:14 AM Dennis Jackson
> wrote:
>>
>> Hi David,
>>
>> The certification chains issued to the server by the CA comes tagged with a
>> list of trust stores its included in. The named trust stores are completely
>> op
On 5/23/2024 9:41 AM, David Benjamin wrote:
At the end of the day, the TLS components of trust expressions are
simply a more size-efficient form of the certificate_authorities field.
The rest is working through the deployment implications to reduce server
operator burden. However, the way we
>
> What point in this process depends on Trust Expressions - that is to say,
> at what point does a browser decide that the government CA is acting
> differently enough from the other CAs in its root store that it’s willing
> to fragment or bifurcate its trust store, and after that point, how does
>
> In your latest message [5], I understand the context of governments
> pushing for inclusion of certain roots with varying degrees of legitimacy.
> I don’t see the on-ramp for CA pre-distribution being meaningfully
> different with Trust Expressions compared to certificate_authorities.
>
Sorry,
On Fri, May 24, 2024 at 2:27 PM Brendan McMillion <
brendanmcmill...@gmail.com> wrote:
> In your latest message [5], I understand the context of governments
>> pushing for inclusion of certain roots with varying degrees of legitimacy.
>> I don’t see the on-ramp for CA pre-distribution being meanin
On Fri, May 24, 2024 at 2:05 PM Christian Huitema
wrote:
>
>
> On 5/23/2024 9:41 AM, David Benjamin wrote:
> > At the end of the day, the TLS components of trust expressions are
> > simply a more size-efficient form of the certificate_authorities field.
> > The rest is working through the deploym
>
> Even with ubiquitous server-side TE support and servers configured with
> both a ubiquitous chain and a government-issued chain, it seems to me this
> government push for use of their CA requires a change to server TLS stacks
> to prefer the government CA chain since both will match the client'
On Fri, May 24, 2024 at 4:15 PM Brendan McMillion <
brendanmcmill...@gmail.com> wrote:
> The part of the spec you quoted says: if multiple certs match, choose any.
> When TE is rendered in actual code, why do you assume that there will be no
> configurable or easily-gameable way to make sure the g
On Fri, May 24, 2024 at 5:18 PM Brendan McMillion <
brendanmcmill...@gmail.com> wrote:
> Even with ubiquitous server-side TE support and servers configured with
>> both a ubiquitous chain and a government-issued chain, it seems to me this
>> government push for use of their CA requires a change to
15 matches
Mail list logo
