Re: [TLS] TLS Proxy Server Extension

Ken Peirce <> Tue, 02 August 2011 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B234121F8DA5 for <>; Tue, 2 Aug 2011 05:50:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nFMLnrG9bNAh for <>; Tue, 2 Aug 2011 05:50:56 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id C445121F8DA7 for <>; Tue, 2 Aug 2011 05:50:56 -0700 (PDT)
Received: from [] by with NNFMP; 02 Aug 2011 12:51:01 -0000
Received: from [] by with NNFMP; 02 Aug 2011 12:51:01 -0000
Received: from [] by with NNFMP; 02 Aug 2011 12:51:00 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 31170 invoked by uid 60001); 2 Aug 2011 12:51:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1312289460; bh=K9kR5TP+6+h41TYF6rzLG165sCUTK1Xb6VLCbdOkvIc=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=VXaA1bZLEvPZkzhqtHgbfrUGkygPk1u18tlPYrxrRomCMbEixgtj/pf1abARESbVJ0iVwD3IEzcpRy2+K4R2Zy9UCsyto64XtgL+LApt9Ad6AIeOIuR/ONY5HIZAk2Qhiko+dJ36bOMbSoFUXevCng/Z0GvrpgKHM9kfodDpXO0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=LR8Y9kzKVnUbeCfGmvsm5tn+KVIpZSWmxH+xoA7NY0xO0/zrTilUQ5w3mK9aDo7dcGiVNt8pZamZA19ABaWeXwazuYt7JVCemOaIZVhCba42W3uVvzFNgI7a+c4jYSwS/VrNd0ZhL+ACR7fSJ4rhgKlPTnz0+vZqiNwPhtchOGw=;
X-YMail-OSG: eiux6TYVM1lcoxIOAbYVnlHy2xajl3LrGpADLqD1wYkIYnh Rrd16o5Dkl8oTjcLAaG.6.XIrSYoQhncvpn6fD00Hzdh3rY75XKrHqmXsyj. TocVaNCe.5_75AB7x5Odl1PXAQmsV_y.o1De5wm1OM5_3rCXZ_tcjmUAjyd. o4ptHhZOIahKk5Y4R4Lo_5zVSljM5Yo9rzQ5b6AFzBMoSfj1dZnBBKgpo437 A0KK1A93bQSWCV6MAUHbNZABqCHsQXFABHiT1A_9Pgc59LPpsqUBKmADRxnF ZOBRT4RI2IWvtCV76K8pStJoxj2Mct3YMYb9VbhSpQj0bN05vNLi5VOJ58Co ljzgUIEXDVOOh64rOODHYrhxQjKJ0liYM9r0YnzWNfb5EQx2siIuHDUvSOhE 7MaWYQGISkmewBzLfD7ty8eZNqCi6DRvQYYamKEw4y7jy9L5j_WYgLxbMQQ- -
Received: from [] by via HTTP; Tue, 02 Aug 2011 05:51:00 PDT
X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/
Message-ID: <>
Date: Tue, 2 Aug 2011 05:51:00 -0700 (PDT)
From: Ken Peirce <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2011 12:50:57 -0000

After watching the back and forth on TLS proxies, and the ever increasing complexity of proposed bandaids to cover individual vulnerabilities, this is starting to look like rearranging the deck chairs on the Titanic. 

TLS is used by people to insure end to end integrity and privacy, usually, with PKI. Users are protected from intermediate parties if the system architects and TLS management by the controlling application have correctly handled the design of the PKI(e.g. insuring that the CN is in fact the desired name and that the root certificate applicable to the presented certificate are as expected, etc.). 

If you want to proxy, you are delegating trust to another entity and effectively running a tandem pair of TLS sessions. 

IMHO, this is not a protocol issue. It is a systems engineering exercise in trust relationships. 

Most security people I know would agree with me that complexity is the enemy of security. Adding all of these modifications to the protocol only increases the chances of introducing new holes in its protection.

Ken Peirce    

> _______________________________________________
> TLS mailing list