Hi all, Thanks for all the feedback and spirited discussion on trust expressions. We have several updates we’d like to share here:
First, we’ve been gradually updating the draft and supplementary text in our repository to cover the various topics being discussed. The supplementary text is at: https://github.com/davidben/tls-trust-expressions/blob/main/explainer.md Second, we added a PKI transition strategies document with a more detailed discussion of some transition scenarios, and how various alternatives we have considered apply to them: https://github.com/davidben/tls-trust-expressions/blob/main/pki-transition-strategies.md We are planning to add a further document on detailed risk scenarios, as best as we can articulate them, regarding the “surveillance and possible future legislation” discussions on the list. This document isn’t quite ready but we will follow up with the list when it is. We hope these documents will help make the goals and design decisions a little clearer. Finally, we have published a second, related draft, TLS Trust Anchor Identifiers. This draft outlines a separate mechanism we had considered during the design of TLS Trust Expressions, and is intended to solve many of the same problems that Trust Expressions does. Some of the feedback we received about TLS Trust Expressions renewed our interest in this approach. TLS Trust Anchor Identifiers has different tradeoffs, including an optimization that depends on DNS, but is a substantially simpler design. Appendix A of the new draft compares the two. We hope this simpler mechanism will be easier for folks to reason through and evaluate. We also hope that looking at both drafts can be helpful in considering the problem space. The second draft is here: https://www.ietf.org/archive/id/draft-beck-tls-trust-anchor-ids-00.html https://davidben.github.io/tls-trust-expressions/draft-beck-tls-trust-anchor-ids.html We’re interested in learning which approach (or combination) is most appealing to the WG. David, Devon, and Bob
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
