Dear TLS Working Group,
Thank you for your response to our previous message from Eric Rescorla. We appreciate your clarification on the use of ECDH ephemeral for encrypting the exchange of certificates in the TLS 1.3 handshake. Based on this information, we have a new proposal to make TLS universal and promote the use of encryption across the internet. Our idea is to use ECDH ephemeral to create secure connections for sites that do not have certificates. This will provide a low level of security for these sites, but still better than the current situation where plaintext HTTP is used for these sites. Furthermore, using a certificate for a site should provide a medium level of security, which is already the case. Finally, mutual authentication should provide a high level of security. We believe this approach would be in line with the spirit of the Browser Forum, which seeks to promote universal encryption on the internet. Furthermore, our proposal to use ECDHE for securing connections without a certificate provides the same level of assurance as the use of low-assurance certificates, such as those issued by Let's Encrypt or Cloudflare, which do not guarantee the identity of the server and its owners. In fact, many certificates simply guarantee that the site is hosted by a particular provider, such as the certificate used any site on Cloudflare, which lists Cloudflare, Inc. as the organization. Our proposal offers a more universal approach to encryption that doesn't rely on specific certificate authorities or their levels of assurance, and it would bring the benefits of encryption to all sites, regardless of their level of technical sophistication or resources. Additionally, it is worth noting that many websites currently use low-assurance certificates simply to meet TLS requirements and enable encryption on their channels. This practice goes against the original philosophy of TLS, which was designed to provide strong assurance of server identity. Therefore, our proposal to include a low-assurance level using ephemeral ECDH in TLS would not only make the protocol universal but also help mitigate this problem. This reinforces the idea of including a method within TLS for users to securely utilize the protocol without having to resort to workarounds. We believe that by making encryption available to all sites, we can promote greater security on the internet. This proposal will also help users understand the level of security provided by their connections and will encourage them to demand stronger security where it is necessary. Thank you for your consideration, and we look forward to your response. Best regards, Yannick LaRue SSE Carte à Puce Inc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
