IETF Logo Mail Archive

Re: [therightkey] Basically, it's about keeping the CAs honest

Martin Millnert <martin@millnert.se> Mon, 13 February 2012 19:15 UTC

Return-Path: <martin@millnert.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2933321F86C7 for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.049
X-Spam-Level:
X-Spam-Status: No, score=-2.049 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8sYU+wYlWsZ for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:15:45 -0800 (PST)
Received: from ncis.csbnet.se (ncis.csbnet.se [95.80.1.101]) by ietfa.amsl.com (Postfix) with ESMTP id 609F221F86D8 for <therightkey@ietf.org>; Mon, 13 Feb 2012 11:15:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by ncis.csbnet.se (Postfix) with ESMTP id 40A8572F; Mon, 13 Feb 2012 20:13:27 +0100 (CET)
Received: from ncis.csbnet.se ([127.0.0.1]) by localhost (ncis.csbnet.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cs33Vebg8L4t; Mon, 13 Feb 2012 20:13:27 +0100 (CET)
Received: from [192.168.120.227] (h-189-4.a189.priv.bahnhof.se [85.24.189.4]) by ncis.csbnet.se (Postfix) with ESMTPSA id EB31BD9; Mon, 13 Feb 2012 20:13:26 +0100 (CET)
Message-ID: <1329160539.11318.12.camel@davinci.millnert.se>
From: Martin Millnert <martin@millnert.se>
To: David Conrad <drc@virtualized.org>
Date: Mon, 13 Feb 2012 20:15:39 +0100
In-Reply-To: <C816C168-0CFC-4A8F-A3AA-0A68F1971978@virtualized.org>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org> <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com> <CAK3OfOg7H5y614DQeDDnznxxAbopXiTbuy4UjPprrigSw+D_DA@mail.gmail.com> <C816C168-0CFC-4A8F-A3AA-0A68F1971978@virtualized.org>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-IuY5w4dmp8+SGiHFK1pU"
X-Mailer: Evolution 3.0.3-3
Mime-Version: 1.0
Cc: Nico Williams <nico@cryptonector.com>, therightkey@ietf.org
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 19:15:46 -0000

On Mon, 2012-02-13 at 11:03 -0800, David Conrad wrote:
> On Feb 13, 2012, at 10:42 AM, Nico Williams wrote:
> > Not all spy-on-your-employees solutions are bad, thus the fact that
> > alternatives will arise does not necessarily bother me.
> 
> And they aren't all 'spy-on-your-employees'.  For example, companies such as CloudFlare (for whom I work), Incapsula, Torbit, etc., provide various web security and performance-related services by acting as a reverse proxy and scrubbing HTTP/HTTPS connections.  These services tend to be targeted at SMEs who are often less-than-technically-knowledable web site operators and those website owners will reject any solution that isn't transparent to their customers. While I can't speak for the others, CloudFlare's service is not in any way a "spy-on-your-employees" solution, rather it is a service in which website owners intentionally insert a MITM that helps them deal with various attacks (DDoS, blog spam, screen scrapers, etc).
> 

Conrad, this seems slightly different than the spy-on-your-employees
case though (close to server rather than client), in that the MITM
web-frontend would just be able to publish the original web site's cert,
or, another cert.  To some degree client's can just consider the MITM
machine to be the actual web server, and the actual web server to be the
web-server backend, right?

All the same the client-facing cert would be the cert observed by the
notaries, for instance.

/M

v2.23.0 | Report a Bug | By Email