[TLS] TLS and middleboxes again
Yoav Nir <ynir@checkpoint.com> Thu, 25 August 2011 07:38 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA03E21F86AF for <tls@ietfa.amsl.com>; Thu, 25 Aug 2011 00:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.354
X-Spam-Level:
X-Spam-Status: No, score=-10.354 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jm-lDaLlix3a for <tls@ietfa.amsl.com>; Thu, 25 Aug 2011 00:38:49 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A724221F85C4 for <tls@ietf.org>; Thu, 25 Aug 2011 00:38:48 -0700 (PDT)
X-CheckPoint: {4E5609A3-B-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p7P7dxeJ002655 for <tls@ietf.org>; Thu, 25 Aug 2011 10:39:59 +0300
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Thu, 25 Aug 2011 10:40:00 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Thu, 25 Aug 2011 10:39:59 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "tls@ietf.org List" <tls@ietf.org>
Date: Thu, 25 Aug 2011 10:39:57 +0300
Thread-Topic: TLS and middleboxes again
Thread-Index: Acxi+jEJsi2tW17kStmHEBs1a54z6Q==
Message-ID: <036F4DE5-2E91-4946-87E2-F3258038E511@checkpoint.com>
References: <20110825073046.30318.5618.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [TLS] TLS and middleboxes again
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 07:38:49 -0000
Hi all Several weeks ago, Dave McGrew submitted a draft for improving the workings of TLS proxies. As expected, this generated a lot of controversy, with some people saying that they'd rather hand over the session keys to the middlebox than to standardize a MitM attack. I was on the other side of that debate, but one problem with comparing the two alternatives is that for proxies there are several commercial products and Dave's draft, while there's nothing for key sharing. To remedy that, and help the discussion along, I've submitted the below draft. Comments and additional controversy are very welcome. Yoav Begin forwarded message: > From: "internet-drafts@ietf.org" <internet-drafts@ietf.org> > Date: August 25, 2011 10:30:46 AM GMT+03:00 > To: "i-d-announce@ietf.org" <i-d-announce@ietf.org> > Subject: I-D Action: draft-nir-tls-keyshare-00.txt > Reply-To: "internet-drafts@ietf.org" <internet-drafts@ietf.org> > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > Title : A Method for Sharing Record Protocol Keys with a Middlebox in TLS > Author(s) : Yoav Nir > Filename : draft-nir-tls-keyshare-00.txt > Pages : 11 > Date : 2011-08-25 > > This document contains a straw man proposal for a method for sharing > symmetric session keys between a TLS client and a middlebox, so that > the middlebox can decrypt the TLS-protected traffic. > > This method is an alternative to the middlebox becoming a proxy. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-nir-tls-keyshare-00.txt
- Re: [TLS] TLS and middleboxes again Michael D'Errico
- [TLS] TLS and middleboxes again Yoav Nir
- Re: [TLS] TLS and middleboxes again Yaron Sheffer
- Re: [TLS] TLS and middleboxes again Juho Vähä-Herttua
- Re: [TLS] TLS and middleboxes again Nikos Mavrogiannopoulos
- Re: [TLS] TLS and middleboxes again Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] TLS and middleboxes again Yaron Sheffer
- Re: [TLS] TLS and middleboxes again Yoav Nir
- Re: [TLS] TLS and middleboxes again Yoav Nir
- Re: [TLS] TLS and middleboxes again Daniel Kahn Gillmor
- Re: [TLS] TLS and middleboxes again Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] TLS and middleboxes again Chris Richardson
- Re: [TLS] TLS and middleboxes again Yoav Nir
- Re: [TLS] TLS and middleboxes again Yaron Sheffer
- Re: [TLS] TLS and middleboxes again Yoav Nir
- Re: [TLS] TLS and middleboxes again Yaron Sheffer
- Re: [TLS] TLS and middleboxes again Philip Gladstone