[pkix] How do we differentiate authentic servers from proxies performing TLS interception?

Jeffrey Walton <noloader@gmail.com> Thu, 12 November 2015 08:43 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4A01AD2F6 for <pkix@ietfa.amsl.com>; Thu, 12 Nov 2015 00:43:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekYCBz5G0Xo8 for <pkix@ietfa.amsl.com>; Thu, 12 Nov 2015 00:43:40 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8E41AD1EE for <pkix@ietf.org>; Thu, 12 Nov 2015 00:43:40 -0800 (PST)
Received: by ioc74 with SMTP id 74so58434024ioc.2 for <pkix@ietf.org>; Thu, 12 Nov 2015 00:43:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; bh=L/AzZWk/E2QgNMK0wEvy1gAEC1+uz2ZKKHbmCJ6stSU=; b=S4WQkYkQCUYHeUlKugFxJonm+ax6uFlqTUtPxqVfjigD1vWfieg9DZqw/jxMntFbwj s0s98qKcuhzRljwa1SpDgAX8r7ayZH8wJGkDbTeidA5WDIIlReOV1j3fXgPJqnbsTQhp 9F5lIazU3TlXra9WvOhjDofqCwFiRH7Bl00K7bvu4/PbfFwWeBZvhCyk+i+qZfxKhP3L Z2NPem5gHzbI6l49fHeStlVbpu9cJ+DSxc5PscnwjggaPuY+7nHh95g+MmeQvF7kZYRf nx1ZlBqAQOvAD56DP0Vpn9TeKxeEf9lGTeQOYkacisRiGj9exCyKWg4d8hcieI0j8zj5 1XAg==
MIME-Version: 1.0
X-Received: by 10.107.8.34 with SMTP id 34mr16239635ioi.122.1447317820195; Thu, 12 Nov 2015 00:43:40 -0800 (PST)
Received: by 10.36.108.3 with HTTP; Thu, 12 Nov 2015 00:43:40 -0800 (PST)
Date: Thu, 12 Nov 2015 03:43:40 -0500
Message-ID: <CAH8yC8=7YP-p=fEL4nFdemiiqU7wm=y7Um=PGgR0=ZbH=mNemQ@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: PKIX <pkix@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/4rqDagu34xrAW5LvMGZILo8aZak>
Subject: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 08:43:42 -0000

Hi Everyone,

I've been through RFC 5280 and 6125 looking for a treatment of the
subject matter, but I could not find it. I would expect it to show up
somewhere, like KU or EKU, but the bits appear to be missing.

How do we differentiate authentic servers from proxies performing TLS
interception?

Thanks in advance.