I agree here. The term “mTLS” is used more and more and there’s no specification. If we could document a few profiles for it, like internal use in a system, cross-organisation etc that would be beneficial.
/O > On 10 Sep 2024, at 09:16, John Mattsson > <john.mattsson=40ericsson....@dmarc.ietf.org> wrote: > > I would be very supportive of such approach. I think the scope should cover > mTLS in general, not just cross-organization. The term mTLS is not even > defined in IETF, in fact the TLS WG has previously used mTLS for at two other > things. It would be good to a document to refer to for implementation > requirements. A lot of tls implementations are not at all suitable for mTLS. > I have seen a lot of cases where people assume that any product supporting > TLS will be suitable for mTLS. But often they are very limited and don’t > support client certs, don’t support revocation, don’t support extracting > certificates from the handshake, etc…. > > I think it would also be very good to have a mTLS RFC when TLS 1.4 is done > sometime in the future. TLS 1.3 removed a lot of functionality that was > important to a lot of mTLS deployements like a forth handshake message, > ephemeral ECDHE during a connection, reauthentication, and moved external psk > identifiers to a message where there is no identity protection. It is not the > TLS WGs fault if nobody was there to argue for the need of these things, but > it would be good with a document documenting these things in the future. Note > that mTLS deployments are very different and might require different things. > > Cheers, > John > > From: Salz, Rich <rsalz=40akamai....@dmarc.ietf.org > <mailto:rsalz=40akamai....@dmarc.ietf.org>> > Date: Monday, 9 September 2024 at 22:30 > To: Mark Robinson <m...@markrobinson.io <mailto:m...@markrobinson.io>>, > tls@ietf.org <mailto:tls@ietf.org><tls@ietf.org <mailto:tls@ietf.org>> > Subject: [TLS] Re: Is there any interest in an RFC on how to do > cross-organization mTLS? > > Would it be appropriate to write an RFC on how to make cross-organization > mTLS work reliably and at scale? Would this group/mailing list be the right > people to work with to make that happen? > > You should also ask the UTA working group if they are interested. > _______________________________________________ > TLS mailing list -- tls@ietf.org <mailto:tls@ietf.org> > To unsubscribe send an email to tls-le...@ietf.org <mailto:tls-le...@ietf.org>
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
