Skip to content

New CS proposal: Cross-organization mTLS #1492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MarkSRobinson opened this issue Sep 17, 2024 · 7 comments
Open

New CS proposal: Cross-organization mTLS #1492

MarkSRobinson opened this issue Sep 17, 2024 · 7 comments
Assignees
@MarkSRobinson
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.

Comments

@MarkSRobinson
Copy link

What is the proposed Cheat Sheet about?

There is currently zero standards around how organizations can setup mTLS between them. In the absence of any recommendations, people will just make up whatever rules appeal to them. These rules basically make zero sense if you understand TLS at any level, but on the plus side they also carry the risk of hard downtime if a mistake is made or if someone is on vacation.

What security issues are commonly encountered related to this area?

  1. Using certificates signed by public CAs for mTLS.
  2. Manually emailing short lived certificates between organizations.
  3. Not validating the certificates that are emailed between organizations.

What is the objective of the Cheat Sheet?

Fundamentally, I want a standard I can point to such that it mitigates the following risks:

  1. Doesn't require manual certificate management for mTLS. I really want to emphasize that preventing downtime is the goal here.
  2. Doesn't require using public CAs which are subject to their own problems.
  3. Actually guarantees some level of security/authentication when using mTLS.

What other resources exist in this area?

The quality of documents around mTLS is shockingly poor. Most tutorials on the subject recommend hard-coding credentials.
Other documents are basically sales pitches for low-quality vendor solutions which work only inside a walled garden.
@MarkSRobinson MarkSRobinson added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet. labels Sep 17, 2024
@MarkSRobinson MarkSRobinson mentioned this issue Sep 17, 2024
Open
@kwwall
Copy link
Collaborator

kwwall commented Sep 17, 2024

@MarkSRobinson - I think this is a great idea, especially if you are willing to do the heavy lifting and create a PR. If you do that, I will volunteer to be one of the reviewers and if he doesn't mind, I'd like to volunteer @markgamache as the 2nd reviewer.

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Sep 18, 2024
@mackowski
Copy link
Collaborator

Agree with @kwwall this is a good idea. @MarkSRobinson do you want to create initial PR?

@MarkSRobinson
Copy link
Author

Yup, I'll get started on it.

@szh szh removed the HELP_WANTED Issue for which help is wanted to do the job. label Sep 18, 2024
@markgamache
Copy link
Contributor

Yup, I'll get started on it.

I can't wait to see this. Given that this is pretty complex and there are a ton of tradeoffs, if you want to start with a more celebrative (g-doc or such) doc type, before a PR, that might be good.

@mackowski
Copy link
Collaborator

@MarkSRobinson anu updates on this

@MarkSRobinson
Copy link
Author

@mackowski I've got an early draft, but it's slow going.

The good news is the CAB plan to drop cert lifetimes to 47 days will definitely push this up the priority queue.

@jmanico
Copy link
Member

jmanico commented Apr 14, 2025

My take on mTLS is that implementing mutual TLS is brutally complicated when you're doing it manually, operationally.

By using a service mesh like istio makes it radically easier to do. Just my 2 cents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarkSRobinson MarkSRobinson

Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. NEW_CS Issue about the creation of a new cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jmanico @szh @kwwall @MarkSRobinson @markgamache @mackowski