Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Paul Turner <> Thu, 19 October 2017 17:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C437D134231 for <>; Thu, 19 Oct 2017 10:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.292
X-Spam-Status: No, score=0.292 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cUnId-HynMAy for <>; Thu, 19 Oct 2017 10:07:25 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1DFE3134228 for <>; Thu, 19 Oct 2017 10:07:25 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1034.26; Thu, 19 Oct 2017 11:07:22 -0600
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1034.26; Thu, 19 Oct 2017 11:07:21 -0600
Received: from ([fe80::e9c4:73d1:e66e:cff6]) by ([fe80::e9c4:73d1:e66e:cff6%12]) with mapi id 15.01.1034.026; Thu, 19 Oct 2017 11:07:21 -0600
From: Paul Turner <>
To: "Salz, Rich" <>, "" <>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Date: Thu, 19 Oct 2017 17:07:21 +0000
Message-ID: <>
References: <> <> <> <> <000501d348e5$1f273450$5d759cf0$> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Oct 2017 17:07:26 -0000

> Subverting one CA cuts across a large scale of Internet traffic and might be
> noticed or can be routed around.  

With respect to "be noticed", forcing clients to opt-in seems like it would clearly be noticed. My understanding was that you were saying that the middlebox could block traffic. That seems in conflict with your statement that they can be "routed around". 

>Certificate transparency helps prevent a
> single CA from being coerced into misissuance.  

It seems like a middlebox that is able to deny traffic (has that level of power, would simply use their own CA and force trust of that)

>With this extension, someone
> doesn’t have to coerce a CA or force victims to trust a new CA.  Instead they
> have to gain the cooperation of the origin(s) they are interested in.  

Gaining the cooperation of the servers (origins) seems relevant. If they get the cooperation of the servers, they can simply get the data directly from them. But, again, they also have to get the cooperation of the clients. 

If a middlebox has sufficient power to block traffic, force clients into opting in, and coerce servers into opting in, it seems like they have sufficient alternative options that are of equivalent effort ("ease").