Re: [TLS] access_administratively_disabled v2

Mateusz Jończyk <mat.jonczyk@o2.pl> Wed, 03 January 2018 16:49 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E066124D68 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OESBvm_UgUWm for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:48:58 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C6A1241F5 for <tls@ietf.org>; Wed, 3 Jan 2018 08:48:57 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 12405 invoked from network); 3 Jan 2018 17:48:55 +0100
Received: from agsa196.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[217.99.78.196]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <stephen.farrell@cs.tcd.ie>; 3 Jan 2018 17:48:55 +0100
To: Eric Rescorla <ekr@rtfm.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com> <3685a850-03ec-5162-414b-c2676022d661@o2.pl> <CABcZeBO0nzmfcA+1ujxceDtNKPGUBZQtBg4-yN-OpOSyEJ3bNg@mail.gmail.com> <eb4530ad-2e6e-d5b6-72e7-4f84dae635e3@o2.pl> <CABcZeBP_020ws24USXj-irN5LH02dGJhDXPZCKC=dJ_C=5AS2g@mail.gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Lanlan Pan <abbypan@gmail.com>, Ted Lemon <mellon@fugue.com>, JW <jw@pcthink.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
X-Enigmail-Draft-Status: N1110
Message-ID: <c0fb8693-ecb8-1bce-89c0-d40b9f2ae0f6@o2.pl>
Date: Wed, 3 Jan 2018 17:48:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBP_020ws24USXj-irN5LH02dGJhDXPZCKC=dJ_C=5AS2g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-WP-MailID: b45eff8574abcc21a228e6de4c49b86c
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [8TNk]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B-fK_zukHfbBDKN96wuYef6Dm9I>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 16:49:00 -0000

W dniu 03.01.2018 o 17:31, Eric Rescorla pisze:
> 
> 
> On Wed, Jan 3, 2018 at 8:17 AM, Mateusz Jończyk <mat.jonczyk@o2.pl
> <mailto:mat.jonczyk@o2.pl>> wrote:
> 
>     W dniu 03.01.2018 o 16:28, Eric Rescorla pisze:
>     > Well, this seems like the first arm, in which you change the browser, so the
>     > question
>     > then becomes whether the browsers wish to do so. Are you aware of any
>     > browser vendor which is interested?
> 
>     I'm not exactly sure what You understand by "the first arm".
>     Of course it would have to be implemented in browsers, by me or somebody else.
>     Microsoft may wish to deploy this in their Forefront TMG, so browser support in
>     Internet Explorer / Edge would follow.
> 
> My question is whether any browser has indicated interest in doing so.
No, I didn't contact any browser vendors.

If an AlertDescription will be allocated, they will have to implement this at
least halfway - display some warning to the user, without necessarily contacting
access_administratively_disabled.net at all.

>     DNS already handles a large number of such entities and it somehow works and is
>     practical. Having a subdomain of access_administratively_disabled.net
>     <http://access_administratively_disabled.net> registered
>     would be expensive because a physical validation would have to be followed - it
>     would probably be no less expensive than EV certificates currently are.
> 
> 
> It's not a matter of scaling. It's a matter of having this many certificates
> that can
> all generate an acceptable message undermines the value of the signature
> because you now have a distributed single point of failure. 

Just like CAs.

I don't think that there will be more access_administratively_disabled.net
subdomains than there are CAs currently.

After all, the failure won't be very catastrophic: it will only enable someone
who already is able to intercept all traffic to slightly phish the users.

If some key will leak publicly, it will be simply revoked.

Greetings,
Mateusz

> 
> -Ekr
>