Re: [TLS] TLS Proxy Server Extension

Adam Langley <> Tue, 26 July 2011 21:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 121E15E800F for <>; Tue, 26 Jul 2011 14:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.902
X-Spam-Status: No, score=-105.902 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kzHFAaQdNJvQ for <>; Tue, 26 Jul 2011 14:52:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 339AC5E8008 for <>; Tue, 26 Jul 2011 14:52:00 -0700 (PDT)
Received: from ( []) by with ESMTP id p6QLpw66015437 for <>; Tue, 26 Jul 2011 14:51:59 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1311717119; bh=4o7DQRwJf5JlOxnfWrOjF+1c2co=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=Eltn3GsAb9g9n5+jMSUXUXih3YOK3H0Sj2LzduAxGaXHvyG+CB5YWm/wZIANqe5kQ U5eGNxU5m9xTa17YAnRcQ==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:date: message-id:subject:from:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=ElsF61ESmqYff16+iQ8nMzABS11rWYujg5upPrxOY2h6Dwu7OVlZ7D7O8VwbJRmQU Kzkl/vdsK+t7a6UczH9IA==
Received: from gyc15 ( []) by with ESMTP id p6QLpvIE006148 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <>; Tue, 26 Jul 2011 14:51:57 -0700
Received: by gyc15 with SMTP id 15so681823gyc.38 for <>; Tue, 26 Jul 2011 14:51:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=72bTU8t5oFgwipyVft2LJSm9kjyhHgInBYcdYRfYatI=; b=t2Pz0JVSAi0RT7Phk1zYFb7reX7gn1AvvvprnxySVFV+xiJPaN9lqsg4tm3SsrIvl0 4DUH1AEFgD7MVMl4cx7g==
MIME-Version: 1.0
Received: by with SMTP id b20mr6407441ybi.91.1311717116816; Tue, 26 Jul 2011 14:51:56 -0700 (PDT)
Received: by with HTTP; Tue, 26 Jul 2011 14:51:56 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Tue, 26 Jul 2011 17:51:56 -0400
Message-ID: <>
From: Adam Langley <>
To: Yoav Nir <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: Philip Gladstone <>, David McGrew <>, "" <>
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Jul 2011 21:52:01 -0000

On Tue, Jul 26, 2011 at 5:41 PM, Yoav Nir <> wrote:
> Really?  I thought Chrome used the operating system TA store. How can it tell the difference between a trust anchor that was installed by Microsoft and one that was installed by the user?

Not in any very clean way I'm afraid:

> But I know that the EV indication goes away behind a proxy, and there's no way to make your CA certificate "EV" to the browser. Dave's proposal allows the green label to come back.

I've poked BlueCoat at least about this problem in the past and they
didn't appear to be too exercised by it. It's really the MITM folks
who need to figure out if this address their needs or not. I simply
don't know the requirements in this space well enough to know if the
draft meets them. From my point of view, we keep MITM in the back of
our minds but otherwise mostly ignore them except to ban certain
troublesome vendors from time to time.