Re: [therightkey] Basically, it's about keeping the CAs honest
Martin Millnert <martin@millnert.se> Mon, 13 February 2012 19:15 UTC
Return-Path: <martin@millnert.se>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2933321F86C7 for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.049
X-Spam-Level:
X-Spam-Status: No, score=-2.049 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8sYU+wYlWsZ for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:15:45 -0800 (PST)
Received: from ncis.csbnet.se (ncis.csbnet.se [95.80.1.101]) by ietfa.amsl.com (Postfix) with ESMTP id 609F221F86D8 for <therightkey@ietf.org>; Mon, 13 Feb 2012 11:15:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by ncis.csbnet.se (Postfix) with ESMTP id 40A8572F; Mon, 13 Feb 2012 20:13:27 +0100 (CET)
Received: from ncis.csbnet.se ([127.0.0.1]) by localhost (ncis.csbnet.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cs33Vebg8L4t; Mon, 13 Feb 2012 20:13:27 +0100 (CET)
Received: from [192.168.120.227] (h-189-4.a189.priv.bahnhof.se [85.24.189.4]) by ncis.csbnet.se (Postfix) with ESMTPSA id EB31BD9; Mon, 13 Feb 2012 20:13:26 +0100 (CET)
Message-ID: <1329160539.11318.12.camel@davinci.millnert.se>
From: Martin Millnert <martin@millnert.se>
To: David Conrad <drc@virtualized.org>
Date: Mon, 13 Feb 2012 20:15:39 +0100
In-Reply-To: <C816C168-0CFC-4A8F-A3AA-0A68F1971978@virtualized.org>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org> <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com> <CAK3OfOg7H5y614DQeDDnznxxAbopXiTbuy4UjPprrigSw+D_DA@mail.gmail.com> <C816C168-0CFC-4A8F-A3AA-0A68F1971978@virtualized.org>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-IuY5w4dmp8+SGiHFK1pU"
X-Mailer: Evolution 3.0.3-3
Mime-Version: 1.0
Cc: Nico Williams <nico@cryptonector.com>, therightkey@ietf.org
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 19:15:46 -0000
On Mon, 2012-02-13 at 11:03 -0800, David Conrad wrote: > On Feb 13, 2012, at 10:42 AM, Nico Williams wrote: > > Not all spy-on-your-employees solutions are bad, thus the fact that > > alternatives will arise does not necessarily bother me. > > And they aren't all 'spy-on-your-employees'. For example, companies such as CloudFlare (for whom I work), Incapsula, Torbit, etc., provide various web security and performance-related services by acting as a reverse proxy and scrubbing HTTP/HTTPS connections. These services tend to be targeted at SMEs who are often less-than-technically-knowledable web site operators and those website owners will reject any solution that isn't transparent to their customers. While I can't speak for the others, CloudFlare's service is not in any way a "spy-on-your-employees" solution, rather it is a service in which website owners intentionally insert a MITM that helps them deal with various attacks (DDoS, blog spam, screen scrapers, etc). > Conrad, this seems slightly different than the spy-on-your-employees case though (close to server rather than client), in that the MITM web-frontend would just be able to publish the original web site's cert, or, another cert. To some degree client's can just consider the MITM machine to be the actual web server, and the actual web server to be the web-server backend, right? All the same the client-facing cert would be the cert observed by the notaries, for instance. /M
- [therightkey] Basically, it's about keeping the C… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Benjamin Kreuter
- Re: [therightkey] Basically, it's about keeping t… Yoav Nir
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Stephen Farrell
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Carl Wallace
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker