Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocking-alert-00.txt
Dave Garrett <davemgarrett@gmail.com> Tue, 07 June 2016 21:28 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D34812D873 for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 14:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhggIcZNK7rs for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 14:28:37 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DDB212D86D for <tls@ietf.org>; Tue, 7 Jun 2016 14:28:37 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id x189so182683040ywe.3 for <tls@ietf.org>; Tue, 07 Jun 2016 14:28:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=YuSAdemDGnY2kBsNPTuGFlSogFwKXqV8Gfuwb4IbmXE=; b=jaU4iz4BwS6XQosltDVGj+mCyE3vfUOckn0xDgPJ72AmggZnRnWh4lmEROtB39bB/v iY1JhZiymhIfqy9wVJMlOsuEREG81LxiMH0/sA7lf+K2tPNmXZpKwc+uJDMc0ai0iyWd 0egD/p5yb0ki388UzrBzwERkIyBCYOoFYQqKtJWil/PVb3RCIv5VHxai7giiI+M+RrSm IqTb1XMcyW9AABtb1t/r3cSeZTFB5o1h2i17XzfZklZ2vJENpW9JjGhAcmLr2bKRhmg8 9MwJU8Bo2f9ow330E6q7WS/zt++cKMHtfc6Ujxe9ji6VOYAGmRtqbCQPwRVXzFjShfLX gQVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=YuSAdemDGnY2kBsNPTuGFlSogFwKXqV8Gfuwb4IbmXE=; b=aoYnkxH5A8WHl7g2sYoT0FVtwhLdyZg0tcIWtNSY30gPE1VhyE57ofOAX6AexWNlUH 3u1ErOakZothkDAODx0GDFMz3bTeeeay9Be1cr/0olgimQvhYmaq8+KXGU676MRv/uqH OTqfNv5hyz5FoPekqdNpTySZyKtLKBmRoch9eDxkZRyHQQJ7KC0Mkyg0HHupzR1sjVXI FwM4Vo1g5Brvl+ZmdwLk0u5Bq9aYZh3JqnDti2LyFeEaQRAYPXt2biDensJcUeflWCw5 bjd3J8ax3aT5sSavRpBNIwZn7nSYzFm/2htMMboIIoevVOP0fM11niOtF92T+xWZE5wC T62Q==
X-Gm-Message-State: ALyK8tLGrUc5Q4ca+8Tagd0L8G/C0i/w8IoETsQFec6B/eURmNN/qAyPL0Gk2nhQqmoYzw==
X-Received: by 10.129.86.5 with SMTP id k5mr989040ywb.141.1465334916720; Tue, 07 Jun 2016 14:28:36 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-27-22.phlapa.fios.verizon.net. [71.185.27.22]) by smtp.gmail.com with ESMTPSA id d71sm15505834ywb.50.2016.06.07.14.28.35 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 07 Jun 2016 14:28:35 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Tue, 07 Jun 2016 17:28:34 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <20160606171459.20797.7839.idtracker@ietfa.amsl.com> <3372929.xMFAkkVyhb@pintsize.usersys.redhat.com> <CAPt1N1m7UUAERkLFc=p1wA-PWdkkfL7CThUhkKnQzWW9Dd2cQw@mail.gmail.com>
In-Reply-To: <CAPt1N1m7UUAERkLFc=p1wA-PWdkkfL7CThUhkKnQzWW9Dd2cQw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201606071728.34613.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HlMrZBehz6w1J3nM7nQboBepZPk>
Subject: Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocking-alert-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 21:28:39 -0000
On Tuesday, June 07, 2016 03:57:32 pm Ted Lemon wrote: > The point of the different result codes is to give the end-user some basis > for figuring out why they didn't get to the site. "Malicious site" is > different than "policy violation." A malicious site is a site that serves > malware, or does phishing, or typosquatting, or something like that. > Policy violation could be "no facebook during business hours." Policies > are typically under user control, so being able to know that you can do > something to address the problem is key. I think the problem that we would want to stress here is that there are far too many places where things that people just don't like get treated as "malicious" and policies are created to block them. The difference between the two is valid, but I have no faith whatsoever that people can really rely on them being properly labeled and communicated. As far as I'm concerned, the determination of explicit designation as malicious is up to the client and any sort of its _own_ content blocking, not anything on the network. As such, I feel like these two alerts can't safely be considered separate. One alert simply for all prohibited connections, without trying to explain human reasoning in one bit of information, would be preferable. Likewise, I don't immediately see why captive portals are sufficiently different from the account attention requested/required cases to warrant separate designation. Upon reading the draft, my first impression is that a set of 3 codes (preferably named more akin to: network_prohibited_connection, network_account_reqested, network_account_required) instead of the current 5 would be more appropriate, and even then, the please/maybe/whatever nature of the second one seems a little odd to me. Just the two "nobody allowed ever" and "you're not allowed (yet)" alerts are the only ones I see particularly convincing justification for. Dave
- [TLS] Fwd: I-D Action: draft-lemon-tls-blocking-a… Ted Lemon
- Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocki… Hubert Kario
- Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocki… Ted Lemon
- Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocki… Brian Smith
- Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocki… Ted Lemon
- Re: [TLS] Fwd: I-D Action: draft-lemon-tls-blocki… Dave Garrett