Re: [therightkey] Basically, it's about keeping the CAs honest
Phillip Hallam-Baker <hallam@gmail.com> Mon, 13 February 2012 19:26 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D2A21F873C for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:26:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.391
X-Spam-Level:
X-Spam-Status: No, score=-3.391 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ELl7sbrov0T for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 11:26:42 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 15AF921F873B for <therightkey@ietf.org>; Mon, 13 Feb 2012 11:26:41 -0800 (PST)
Received: by ghbg16 with SMTP id g16so2977953ghb.31 for <therightkey@ietf.org>; Mon, 13 Feb 2012 11:26:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=uc14N8FMazCxVmX0gLYcxbwzCjKrbAeWv1jXUHeBoGk=; b=m0l3e3S52NNQgGn2qUD0ylOkEKQyWlD0m0UoVp4SScEhgDEptwT/k1L6MB9Pif/Zhm Ne6ObYLvKcmDLhg7o2bWZ97hP87nSp57CwnB4kEhNpu81rGGxvJqPX7W/JAKLe30rHsY TSHv189xAaR0NVM5WsdElqj6xJFOzQdgCWvq8=
MIME-Version: 1.0
Received: by 10.60.7.102 with SMTP id i6mr4984985oea.9.1329161198011; Mon, 13 Feb 2012 11:26:38 -0800 (PST)
Received: by 10.182.75.138 with HTTP; Mon, 13 Feb 2012 11:26:37 -0800 (PST)
In-Reply-To: <CAK3OfOg7H5y614DQeDDnznxxAbopXiTbuy4UjPprrigSw+D_DA@mail.gmail.com>
References: <201202131636.q1DGafVR006049@fs4113.wdf.sap.corp> <0600CF7A-A8CB-4E35-B729-43D626434645@virtualized.org> <CAMm+LwjkPZm9FF=FGx+vb_JxLRbygm-y1H85Powq6U0UfxSKCQ@mail.gmail.com> <CAK3OfOg7H5y614DQeDDnznxxAbopXiTbuy4UjPprrigSw+D_DA@mail.gmail.com>
Date: Mon, 13 Feb 2012 14:26:37 -0500
Message-ID: <CAMm+LwhmegoV7W_BNZy72_7QyU=YiisaObHHVmaU8EQvhxbRUA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: therightkey@ietf.org, mrex@sap.com, David Conrad <drc@virtualized.org>
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 19:26:43 -0000
On Mon, Feb 13, 2012 at 1:42 PM, Nico Williams <nico@cryptonector.com> wrote: > On Mon, Feb 13, 2012 at 12:32 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote: >> +1 >> >> It is also worth pointing out that the MITM certs stopped being >> offered commercially as soon as it became public knowledge that they >> had been. >> >> Presumably the next step the companies providing this facility will >> take is to offer their own browser with the capability built in. It is >> no good jumping up and down saying people should not make such >> devices. The choice we have is whether to do the job right or let them >> do it without any input. >> >> >> What I find wrong with the MITM proxies is that they offer a >> completely transparent mechanism. The user is not notified that they >> are being logged. I think that is a broken approach because the whole >> point of accountability controls is that people behave differently >> when they know they are being watched. > > I'm confused: if this is wrong, and if preventing MITMing CAs leads to > an MITM model that is right (because the users are informed), then why > does it no good to jump up and down saying that people should not make > MITM devices? It seems to me that it will have done plenty of good. Bluecoat has been selling the boxes for years, they will continue to sell them. The only difference is that now the enterprise has to install its own root into all the browsers. But that means those corporate users are not being informed that the MITM is taking place. Which means their security expectations are still being violated. > The object for me is not to prevent MITMing when the user knows. I > really don't care about corporate MITM devices because I assume users > (employees, contractors) are informed. Like you I care about MITM > devices that users *don't* know about. I assume that being informed means no more than being told that water contains chamicals known to the state of California to cause cancer. So no, I do not consider that an 'informed user'. > Not all spy-on-your-employees solutions are bad, thus the fact that > alternatives will arise does not necessarily bother me. Only those > that can be used against users who are not informed or have no way to > avoid the MITM (employees can always... not use employer networks for > personal use). Think of people in Iran, Syria, ... Iran peddles backdoored versions of Word, Windows and such. They are ahead of you there. -- Website: http://hallambaker.com/
- [therightkey] Basically, it's about keeping the C… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… David Conrad
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Benjamin Kreuter
- Re: [therightkey] Basically, it's about keeping t… Yoav Nir
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Chris Palmer
- Re: [therightkey] Basically, it's about keeping t… Martin Millnert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Nico Williams
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Stephen Farrell
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Carl Wallace
- Re: [therightkey] Basically, it's about keeping t… Kyle Hamilton
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Martin Rex
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker
- Re: [therightkey] Basically, it's about keeping t… Tom Ritter
- Re: [therightkey] Basically, it's about keeping t… Daniel Kahn Gillmor
- Re: [therightkey] Basically, it's about keeping t… Paul Lambert
- Re: [therightkey] Basically, it's about keeping t… Phillip Hallam-Baker