I think it’s very important we provide a standard to efficiently solve this problem. Without one, I think it’s nearly inevitable that server operators will have to deploy complex ClientHello fingerprinting logic for certificate selection to maintain widespread client compatibility (which also may only be feasible for large operators, and will harm the TLS ecosystem), and that we will be adding roadblocks to deployment of more modern trust stores.
There’s still details to work out, but I support adoption of the draft as a good starting point. Kyle Nekritz From: TLS <tls-boun...@ietf.org> On Behalf Of Devon O'Brien Sent: Tuesday, April 23, 2024 4:37 PM To: tls@ietf.org Cc: Bob Beck <b...@google.com> Subject: [TLS] WG Adoption for TLS Trust Expressions After sharing our first draft of TLS Trust Expressions and several discussions across a couple IETFs, we’d like to proceed with a call for working group adoption of this draft. We are currently prototyping trust expressions in BoringSSL & ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd After sharing our first draft of TLS Trust Expressions<https://datatracker.ietf.org/doc/draft-davidben-tls-trust-expr/> and several discussions across a couple IETFs, we’d like to proceed with a call for working group adoption of this draft. We are currently prototyping trust expressions in BoringSSL & Chromium and will share more details when implementation is complete. As we mentioned in our message to the mailing list from January, our primary goal is to produce a mechanism for supporting multiple subscriber certificates<https://github.com/davidben/tls-trust-expressions/blob/main/explainer.md> and efficiently negotiating which to serve on a given TLS connection, even if that ends up requiring significant changes to the draft in its current state. To that end, we’re interested in learning whether wg members support adoption of this deployment model and the currently-described certificate negotiation mechanism or if they oppose adoption (and why!). Thanks! David, Devon, and Bob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls