IETF Logo Mail Archive

Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?

"Miller, Timothy J." <tmiller@mitre.org> Thu, 12 November 2015 17:21 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5143B1B2A57 for <pkix@ietfa.amsl.com>; Thu, 12 Nov 2015 09:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpMJdAcyR_Gj for <pkix@ietfa.amsl.com>; Thu, 12 Nov 2015 09:21:24 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCC81AD364 for <pkix@ietf.org>; Thu, 12 Nov 2015 09:21:24 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C8C836C00C3; Thu, 12 Nov 2015 12:21:23 -0500 (EST)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id B66846C4015; Thu, 12 Nov 2015 12:21:23 -0500 (EST)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 12 Nov 2015 12:21:23 -0500
Received: from na01-bn1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Thu, 12 Nov 2015 12:21:23 -0500
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB112.namprd09.prod.outlook.com (10.242.36.25) with Microsoft SMTP Server (TLS) id 15.1.318.15; Thu, 12 Nov 2015 17:21:22 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0318.003; Thu, 12 Nov 2015 17:21:22 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
Thread-Index: AQHRHSZik1bCWQTVykKbY4mwcvoviJ6YWKZQgAA+FQCAAAsmwA==
Date: Thu, 12 Nov 2015 17:21:21 +0000
Message-ID: <BY2PR09MB109B9B70BC1746B516CB335AE120@BY2PR09MB109.namprd09.prod.outlook.com>
References: <BY2PR09MB1094EA71ADDC83440AE82F2AE120@BY2PR09MB109.namprd09.prod.outlook.com> <20151112163810.E8F351A368@ld9781.wdf.sap.corp>
In-Reply-To: <20151112163810.E8F351A368@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tmiller@mitre.org;
x-originating-ip: [192.160.51.86]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB112; 5:Yxg3ug4nCKD3PP9OgFsUUpUhDgACfP5NZrn+MUTRWWHAeM6bZd3lxt1VsYeJjs9vns8B+snzxUsncBvQsp0LnpvQZl/6e2zbcYqUgOb7lTy3xmbjatdJzz1fFdA5BkWnmD0OwZr+v6FXDDYz0lhLrQ==; 24:5iQVjIJMR3ds/WS4coupKapjAQRm3oKFlYbZe9SeTzIF3HMdDJbmCZuPqVf95uRp7lc/2odjHbWzrVOiMpQo/aQPiQ279BTBxNgjOMJSrI8=; 20:WenD8IpOQZKblH8TPckXKfaivCjSWc2tkk9y7E8ajxUJGYjeRNjSvGl6u38oTFuyjW1gh8kZg5vP7WpXe+pm0w==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB112;
x-microsoft-antispam-prvs: <BY2PR09MB11298A91F6BCB57C014F4A6AE120@BY2PR09MB112.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001); SRVR:BY2PR09MB112; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB112;
x-forefront-prvs: 07584EDBCD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(2950100001)(5004730100002)(92566002)(33656002)(76176999)(74316001)(2351001)(5003600100002)(50986999)(106116001)(66066001)(54356999)(87936001)(76576001)(101416001)(105586002)(40100003)(106356001)(11100500001)(10400500002)(2501003)(77096005)(2900100001)(5001920100001)(5007970100001)(102836002)(5001960100002)(122556002)(5008740100001)(97736004)(99286002)(81156007)(189998001)(5002640100001)(110136002)(86362001)(7059030); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB112; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2015 17:21:21.5947 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB112
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/wWmZFswKWCt7iiI8a1y_ZOqv2yE>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 17:21:26 -0000

> Just for the record, corporate security performing MitM on TLS connections
> of human user's browsers is *NOT* legitimate in Europe, it is clearly
> *OUTSIDE* of the legal wiggle room of 2002/58/EC for EU member states,
> and it has been a criminal offense (up to 5 years in prison) in Germany since
> 2004.

Irrelevant; a criminal MitM *still* isn't going to use an extension to identify himself.  

Binding the issuing authority to the name is what's needed, and that's not a certificate content problem.

-- T

v2.23.0 | Report a Bug | By Email