I agree. It is also good to cover different reference models / recommended patterns for mTLS vs one-way TLS.
Best, Sudha E Iyer | Head, Data CyberSecurity Architecture Team|Chief Information Security Office| sudha.e.i...@citi.com<mailto:sudha.e.i...@citi.com> ________________________________ From: [dmarc.ietf.org] John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org> Sent: Tuesday, September 10, 2024 8:16:15 AM To: Salz, Rich <rsalz=40akamai....@dmarc.ietf.org>; Mark Robinson <m...@markrobinson.io>; tls@ietf.org <tls@ietf.org>; u...@ietf.org <u...@ietf.org> Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS? I would be very supportive of such approach. I think the scope should cover mTLS in general, not just cross-organization. The term mTLS is not even defined in IETF, in fact the TLS WG has previously used mTLS for at two other things. It would I would be very supportive of such approach. I think the scope should cover mTLS in general, not just cross-organization. The term mTLS is not even defined in IETF, in fact the TLS WG has previously used mTLS for at two other things. It would be good to a document to refer to for implementation requirements. A lot of tls implementations are not at all suitable for mTLS. I have seen a lot of cases where people assume that any product supporting TLS will be suitable for mTLS. But often they are very limited and don’t support client certs, don’t support revocation, don’t support extracting certificates from the handshake, etc…. I think it would also be very good to have a mTLS RFC when TLS 1.4 is done sometime in the future. TLS 1.3 removed a lot of functionality that was important to a lot of mTLS deployements like a forth handshake message, ephemeral ECDHE during a connection, reauthentication, and moved external psk identifiers to a message where there is no identity protection. It is not the TLS WGs fault if nobody was there to argue for the need of these things, but it would be good with a document documenting these things in the future. Note that mTLS deployments are very different and might require different things. Cheers, John From: Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> Date: Monday, 9 September 2024 at 22:30 To: Mark Robinson <m...@markrobinson.io>, tls@ietf.org <tls@ietf.org> Subject: [TLS] Re: Is there any interest in an RFC on how to do cross-organization mTLS? Would it be appropriate to write an RFC on how to make cross-organization mTLS work reliably and at scale? Would this group/mailing list be the right people to work with to make that happen? You should also ask the UTA working group if they are interested.
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
