[TLS] TLS extension for Proxies to transfer original Server certificate

"Babu.N" <babun@intoto.com> Tue, 28 August 2007 05:46 UTC

Return-path: <tls-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IPttt-00005g-5q; Tue, 28 Aug 2007 01:46:05 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IPttr-00005b-9o for tls@lists.ietf.org; Tue, 28 Aug 2007 01:46:03 -0400
Received: from ip-66-80-10-146.dsl.sca.megapath.net ([66.80.10.146] helo=barracuda.intoto.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IPttp-0001U2-RM for tls@lists.ietf.org; Tue, 28 Aug 2007 01:46:03 -0400
Received: from angel.intoto.com (smtp.intoto.com [10.1.5.29]) by barracuda.intoto.com (Spam Firewall) with ESMTP id C4C236CA for <tls@lists.ietf.org>; Mon, 27 Aug 2007 22:46:00 -0700 (PDT)
Received: from brahma.hyd.intoto.com (intotoind.com [172.16.1.10]) by angel.intoto.com (8.13.1/8.13.1) with ESMTP id l7S5jxW3011521 for <tls@lists.ietf.org>; Mon, 27 Aug 2007 22:46:00 -0700
Received: from Babu.intoto.com (emb.hyd.intoto.com [172.16.3.102] (may be forged)) by brahma.hyd.intoto.com (8.13.1/8.13.1) with ESMTP id l7S5iRb1026327 for <tls@lists.ietf.org>; Tue, 28 Aug 2007 11:14:30 +0530
Message-Id: <200708280544.l7S5iRb1026327@brahma.hyd.intoto.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 28 Aug 2007 11:15:54 +0530
To: tls@lists.ietf.org
From: "Babu.N" <babun@intoto.com>
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.62 on 172.16.1.10
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 31247fb3be228bb596db9127becad0bc
Subject: [TLS] TLS extension for Proxies to transfer original Server certificate
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0236585068=="
Errors-To: tls-bounces@lists.ietf.org

Hi,

I have submitted a draft on "
TLS extension for Proxies to transfer Server certificate
":http://www.ietf.org/internet-drafts/draft-babu-serv-cert-trans-from-proxy-00.txt

Intercepting transparent proxies splice the client-Server connection 
into two connections: Client-Proxy connection, Proxy-server 
connection. On Client-Proxy connection, proxy sends it's certificate 
to the client. As client is generally (in such a scenario) 
pre-configured to accept proxy's certificate, client accepts and 
proceeds further with the connection. On Proxy-Server connection, 
server sends its certificate to the proxy. Proxy typically doesn't 
possess the information (like MX domain name in case of SMTP) 
required to validate the certificate. The certificate validation is 
at times very complex & hence it is better to offload this 
responsibility to the original client itself.

This document addresses this issue by extending TLS to let proxy send 
server's certificate to the client for validation and suggests how 
client can indicate certificate validation result to the proxy. Based 
on the client's decision, proxy can determine whether to 
proceed/terminate the connection.

Like to hear feedback on this.


Thanks,
Babu

********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls