I think it’s very important we provide a standard to efficiently solve this 
problem. Without one, I think it’s nearly inevitable that server operators will 
have to deploy complex ClientHello fingerprinting logic for certificate 
selection to maintain widespread client compatibility (which also may only be 
feasible for large operators, and will harm the TLS ecosystem), and that we 
will be adding roadblocks to deployment of more modern trust stores.

There’s still details to work out, but I support adoption of the draft as a 
good starting point.

Kyle Nekritz

From: TLS <tls-boun...@ietf.org> On Behalf Of Devon O'Brien
Sent: Tuesday, April 23, 2024 4:37 PM
To: tls@ietf.org
Cc: Bob Beck <b...@google.com>
Subject: [TLS] WG Adoption for TLS Trust Expressions

After sharing our first draft of TLS Trust Expressions and several discussions 
across a couple IETFs, we’d like to proceed with a call for working group 
adoption of this draft. We are currently prototyping trust expressions in 
BoringSSL &
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
ZjQcmQRYFpfptBannerEnd

After sharing our first draft of TLS Trust 
Expressions<https://datatracker.ietf.org/doc/draft-davidben-tls-trust-expr/> 
and several discussions across a couple  IETFs, we’d like to proceed with a 
call for working group adoption of this draft. We are currently prototyping 
trust expressions in BoringSSL & Chromium and will share more details when 
implementation is complete.


As we mentioned in our message to the mailing list from January, our primary 
goal is to produce a mechanism for supporting multiple subscriber 
certificates<https://github.com/davidben/tls-trust-expressions/blob/main/explainer.md>
 and efficiently negotiating which to serve on a given TLS connection, even if 
that ends up requiring significant changes to the draft in its current state.


To that end, we’re interested in learning whether wg members support adoption 
of this deployment model and the currently-described certificate negotiation 
mechanism or if they oppose adoption (and why!).


Thanks!

David, Devon, and Bob

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to