Re: [TLS] TLS Proxy Server Extension

Martin Rex <mrex@sap.com> Tue, 02 August 2011 17:30 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81A9611E80B6 for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 10:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.936
X-Spam-Level:
X-Spam-Status: No, score=-9.936 tagged_above=-999 required=5 tests=[AWL=0.313, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeqzMDEVIg7I for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 10:30:43 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 9866111E80B3 for <tls@ietf.org>; Tue, 2 Aug 2011 10:30:43 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p72HUYbS011451 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Aug 2011 19:30:39 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201108021730.p72HUYem015518@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net (Matt McCutchen)
Date: Tue, 2 Aug 2011 19:30:33 +0200 (MEST)
In-Reply-To: <1312302676.2174.31.camel@localhost> from "Matt McCutchen" at Aug 2, 11 12:31:16 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 17:30:44 -0000

Matt McCutchen wrote:
> 
> A person using a corporate laptop has no expectation of privacy from the
> company.  The proxy extension just offers a technically more capable
> solution for that scenario.

Not everyone is living in totalitarian countries where this might apply.

As I previously said, our constitution provides fundamental gurantees
of privacy, and protects against both, government agencies spying
on citizens as well as employers spying on employees.


> 
> No one is proposing, per se, that TLS interception be used in any more
> places than it is now.  Of course, interception may now be used in
> places where it was always desired but could not be used before due to
> protocol issues.  However, it's hard to believe that the proxy extension
> would change the market and/or legal forces that currently restrain ISPs
> from routinely intercepting customer traffic, if that is what Martin is
> worried about.

No, it is primarily about the employer spying on employee case, which
has been clearly ruled unconstitutional in Germany.  But the stiff penal
code that might provide sufficient deterrant for ISPs does not universally
apply to employers, leaving you with civil action an "cease and desist"
and a number of completely clueless entry courts.


> 
> The TLS WG may have a personal distaste for the use case addressed by
> the extension.  But I would reason that the use case is valid, thus the
> extension is worthy of standardization to get interoperable
> implementations, and the TLS WG is the best venue available for
> technical discussion.  As David explained
> (https://www.ietf.org/mail-archive/web/tls/current/msg07920.html), the
> use case does not constitute wiretapping as defined in RFC 2804.

I haven't heard any use cases for the TLS proxy in this discussion
that are not factually equivalent to wiretapping.


-Martin