Re: [therightkey] Basically, it's about keeping the CAs honest
Nico Williams <nico@cryptonector.com> Mon, 13 February 2012 18:42 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7D921F87D0 for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 10:42:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.965
X-Spam-Level:
X-Spam-Status: No, score=-0.965 tagged_above=-999 required=5 tests=[AWL=-0.847, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8yhJyvxNELZ for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
Received: from homiemail-a95.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id C4C8321F87CA for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
Received: from homiemail-a95.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTP id 9174B1E076 for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=T+qXj5Q+a3JXEoBmoK4Cf hmT6xAhLjpEb0+LCIT75ohIKQR58+JXmw4rZpwUHDSK09GcheEOCkRl8b54TgRnd QCVcohRqqA89yDs+oMROsowO7nGvNfOuonhOOTyguAHF8VNzTVZdraeAtEA2xOz9 XWBZTOpVlaqS7aYSFm4XT4=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=LfWlM/Qdg4sI07VtO7q4 YeFD0IY=; b=ObzHPxVFAljeGomLN3ksmBCk+NagG0EixDQ9CBpWSjr/FPEpGYiE o2hcyvEbwbFQOB3i6Io2pak5NGzP3WqStHKXPX5VlbYCAZ5QnPl6p/sj5dnySAYQ g9c49mM7AnUqWq0+arHthqUtsc16+FZergD62u3DonXZJz18V4NJOWY=
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a95.g.dreamhost.com (Postfix) with ESMTPSA id 7770A1E020 for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
Received: by pbcwz7 with SMTP id wz7so5029581pbc.31 for <therightkey@ietf.org>; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.232.103 with SMTP id tn7mr49766255pbc.74.1329158524070; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
Received: by 10.68.136.4 with HTTP; Mon, 13 Feb 2012 10:42:04 -0800 (PST)
In-Reply-To: <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org> <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com>
Date: Mon, 13 Feb 2012 12:42:04 -0600
Message-ID: <CAK3OfOg7H5y614DQeDDnznxxAbopXiTbuy4UjPprrigSw+D_DA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: therightkey@ietf.org, mrex@sap.com, David Conrad <drc@virtualized.org>
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 18:42:05 -0000
On Mon, Feb 13, 2012 at 12:32 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > +1 > > It is also worth pointing out that the MITM certs stopped being > offered commercially as soon as it became public knowledge that they > had been. > > Presumably the next step the companies providing this facility will > take is to offer their own browser with the capability built in. It is > no good jumping up and down saying people should not make such > devices. The choice we have is whether to do the job right or let them > do it without any input. > > > What I find wrong with the MITM proxies is that they offer a > completely transparent mechanism. The user is not notified that they > are being logged. I think that is a broken approach because the whole > point of accountability controls is that people behave differently > when they know they are being watched. I'm confused: if this is wrong, and if preventing MITMing CAs leads to an MITM model that is right (because the users are informed), then why does it no good to jump up and down saying that people should not make MITM devices? It seems to me that it will have done plenty of good. The object for me is not to prevent MITMing when the user knows. I really don't care about corporate MITM devices because I assume users (employees, contractors) are informed. Like you I care about MITM devices that users *don't* know about. Not all spy-on-your-employees solutions are bad, thus the fact that alternatives will arise does not necessarily bother me. Only those that can be used against users who are not informed or have no way to avoid the MITM (employees can always... not use employer networks for personal use). Think of people in Iran, Syria, ... Nico --
- [therightkey] Basically, it's about keeping the C… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Benjamin Kreuter
- Re: [therightkey] Basically, it's about keeping t… Yoav Nir
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Stephen Farrell
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Carl Wallace
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker