Re: [keyassure] The SSL Proxy Issue
Yoav Nir <ynir@checkpoint.com> Sat, 19 February 2011 19:05 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5A9F43A6FB3 for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 11:05:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.557
X-Spam-Level:
X-Spam-Status: No, score=-10.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJlOJvYiKKLM for <keyassure@core3.amsl.com>; Sat, 19 Feb 2011 11:05:42 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 22D7F3A6FB0 for <keyassure@ietf.org>; Sat, 19 Feb 2011 11:05:41 -0800 (PST)
X-CheckPoint: {4D6014AA-20000-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p1JJ6GLc011619; Sat, 19 Feb 2011 21:06:16 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([194.29.34.26]) with mapi; Sat, 19 Feb 2011 21:06:16 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Date: Sat, 19 Feb 2011 21:06:14 +0200
Thread-Topic: [keyassure] The SSL Proxy Issue
Thread-Index: AcvQaBUeplOKSxMrQISBJiEkx4j5TQ==
Message-ID: <AA60939A-B93E-43E1-8224-AD230576CA61@checkpoint.com>
References: <AANLkTim9=3=GJZmSQRqJp7_p4_4wqTAoF7zrmAMoACQj@mail.gmail.com> <AANLkTinAcUsg4shshQrKrC-c71HoTdC+Sjix7JHrfsxh@mail.gmail.com> <AANLkTinAotQwLQC91gWZrHDz1DBPoHZ-DH-q+_UYZrWU@mail.gmail.com>
In-Reply-To: <AANLkTinAotQwLQC91gWZrHDz1DBPoHZ-DH-q+_UYZrWU@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Adam Langley <agl@imperialviolet.org>, "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] The SSL Proxy Issue
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 19:05:43 -0000
On Feb 19, 2011, at 8:16 PM, Phillip Hallam-Baker wrote: > OK and I assume that this means that this would certainly not be EV compatible (unless the signer is breaching the EV requirements) > > There are two use cases that I can see would drive this: > > 1) Enterprises that are required to track internal communications. What do you mean by "are required to"? Lots of times this comes from either a "security officer" or an auditor who says, "there's this tool in the toolbox. Why aren't you using it?" The legitimate use can be that the company has some application firewall that blocks HTTP based attacks. Without an SSL proxy, you can't block the attacks if they're over HTTPS. > > 2) Governments looking to perform covert surveillance. > > > I only recognize one of these use cases as legitimate. The other is really an anti-use case (attack). I agree. An attack is an attack, even if the attacker works for the good guys. Even if the attacker is doing it for my own good. > The only difference I can see in these use cases is the 'covert' part. I think it is OK to have a hole, provided the users know that there is a hole. Well, it's the employer's computer and the employer's SSL proxy. The trust anchor store is controlled by the employer through the operating system's remote management tools. The employee need never know, so I'm not sure if this doesn't fall under 'covert' as well.
- [keyassure] The SSL Proxy Issue Phillip Hallam-Baker
- Re: [keyassure] The SSL Proxy Issue Adam Langley
- Re: [keyassure] The SSL Proxy Issue Phillip Hallam-Baker
- Re: [keyassure] The SSL Proxy Issue Steingruebl, Andy
- Re: [keyassure] The SSL Proxy Issue Paul Hoffman
- Re: [keyassure] The SSL Proxy Issue Steingruebl, Andy
- Re: [keyassure] The SSL Proxy Issue Steingruebl, Andy
- Re: [keyassure] The SSL Proxy Issue Yoav Nir
- Re: [keyassure] The SSL Proxy Issue Paul Hoffman
- Re: [keyassure] The SSL Proxy Issue Phillip Hallam-Baker
- Re: [keyassure] The SSL Proxy Issue Scott Schmit
- Re: [keyassure] The SSL Proxy Issue Paul Hoffman
- Re: [keyassure] The SSL Proxy Issue Phillip Hallam-Baker
- Re: [keyassure] The SSL Proxy Issue Paul Hoffman
- Re: [keyassure] The SSL Proxy Issue Yoav Nir