IETF Logo Mail Archive

Re: [therightkey] Basically, it's about keeping the CAs honest

"Kyle Hamilton" <aerowolf@gmail.com> Mon, 13 February 2012 23:18 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA6321F856D for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 15:18:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level:
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZ56C7pG4XCz for <therightkey@ietfa.amsl.com>; Mon, 13 Feb 2012 15:18:29 -0800 (PST)
Received: from mail-tul01m020-f172.google.com (mail-tul01m020-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id CF01821F8552 for <therightkey@ietf.org>; Mon, 13 Feb 2012 15:18:23 -0800 (PST)
Received: by obbwd15 with SMTP id wd15so8609929obb.31 for <therightkey@ietf.org>; Mon, 13 Feb 2012 15:18:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:in-reply-to:references :mime-version:content-type; bh=Dg674AOz4lhFQhP+KxftN0kB1Ec5bZfCyRqxFVX8j8g=; b=jnIiVycUGuCTn0nwV+0ovZ1l8Mkiue70fWDainYq3tWAELG8KlQKa2+V+b3kXDovVo mP6XhfDhdgHB3OFSdAO/bmPsYDhIhTuRSp9PESUFYSN0YTAGiAVuK6dq7f/2lPAUM7Aa TleHjiXFGYWT+p+D9xbhy+D7xwiB16u0iv8SU=
Received: by 10.60.0.195 with SMTP id 3mr5119232oeg.2.1329175103507; Mon, 13 Feb 2012 15:18:23 -0800 (PST)
Received: from penango (jis1.qyv.name. [174.143.212.165]) by mx.google.com with ESMTPS id n7sm4200541oeh.4.2012.02.13.15.18.20 (version=SSLv3 cipher=OTHER); Mon, 13 Feb 2012 15:18:21 -0800 (PST)
From: Kyle Hamilton <aerowolf@gmail.com>
To: mrex@sap.com
Date: Mon, 13 Feb 2012 15:18:14 -0800
Message-ID: <gym4j6kw3igupdmfi2jezwJv4X.penango@mail.gmail.com>
In-Reply-To: <CAK3OfOhx_xbx1TrJL==BjmqVM8zZKDa8u4rQ7wCpKom4ZZODOg@mail.gmail.com>
References: <CAK3OfOhx_xbx1TrJL==BjmqVM8zZKDa8u4rQ7wCpKom4ZZODOg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="gmsm1.9.5eqgym4j6lwwlvxync89f2"
Cc: therightkey@ietf.org, Phillip Hallam-Baker <hallam@gmail.com>, drc@virtualized.org
Subject: Re: [therightkey] Basically, it's about keeping the CAs honest
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 23:18:29 -0000


On Mon, Feb 13, 2012 at 11:21 AM, Martin Rex <mrex@sap.com> wrote:
> Phillip Hallam-Baker wrote:
>>
>> What I find wrong with the MITM proxies is that they offer a
>> completely transparent mechanism. The user is not notified that they
>> are being logged. I think that is a broken approach because the whole
>> point of accountability controls is that people behave differently
>> when they know they are being watched.
>
> MITM proxies are bad in several ways.   Not only that they're trying
> to hide (by faking server certs), they also breaking client-cert
> authentication, interfere with TLS channel bindings and will
> break other approaches that intend to fix the shortcomings of the
> Browser's TLS X.509 PKI trust model.

Continuing to do the same thing and expecting different results is one of the definitions of insanity, you know?  Our prohibitions have led to our unenforceable prohibitions being broken.  We MUST stop prohibiting things, and recognize that there are valid use-cases which our narrow-minded interpretations of "Absolute Correctness Or It's Crap" have failed to take into account.

There are more things in Heaven and Earth than are dreamt of in your philosophy, Horatio.  They exist regardless of whether we agree with them.  The least we can do is permit them.

(And, there's another aspect: if we intentionally break all of the software that currently exists, we will have committed the largest technical attack on the international financial and communications infrastructure in history, and we would rightly be branded terrorists.)

-Kyle H

v2.23.0 | Report a Bug | By Email