On Fri, Jul 19, 2024, 8:58 PM Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote: > > I've read it before. I the main issue is that it says "trusted" a lot. > > > > Yeah, kinda snippy but not necessarily wrong. > > > > I’m a little skeptical of approaches that solve an entire problem space with > one architecture. I’m more skeptical of enough people having the ability to > read and understand the semantics of several pages of JSON object > descriptions. I know I got MEGO[1] a copule of times while reading it. > > > > Can we simplify things and solve just one problem?
Do that several times and you end up with the mess we have now, where the interplay of certificate serving and algorithm selection requires quite a dance to figure out, and is version dependent. Each additional factor to negotiate has to play in, and already assembling all the bits gets complicated. On top of that if we want the CA ecosystem to evolve, we have to deal with different clients trusting different things. And there are not a whole lot of ways to solve that. Using that mechanism to say "here is the bundle of stuff I expect" is much cleaner. > > > > For example, in some off-line discuissions others have mentioned that with PQ > signatures being so big, there are policy decisions that clients might want > to enforce – do you need SCT’s? Do you want OCSP stapling? Maybe it will be > worthwhile to just think about what kind hybrid/PQ policies clients will want > to express? > > > > [1] https://www.collinsdictionary.com/dictionary/english/mego > > > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
