Re: [TLS] TLS Proxy Server Extension

Martin Rex <mrex@sap.com> Fri, 29 July 2011 20:45 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 978355E801A for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 13:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.905
X-Spam-Level:
X-Spam-Status: No, score=-9.905 tagged_above=-999 required=5 tests=[AWL=0.344, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VuyprDhPv5zR for <tls@ietfa.amsl.com>; Fri, 29 Jul 2011 13:45:00 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 401DE5E8016 for <tls@ietf.org>; Fri, 29 Jul 2011 13:44:59 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p6TKioAL011808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 29 Jul 2011 22:44:55 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201107292044.p6TKinFB022634@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net (Matt McCutchen)
Date: Fri, 29 Jul 2011 22:44:49 +0200 (MEST)
In-Reply-To: <1311915090.2035.36.camel@localhost> from "Matt McCutchen" at Jul 29, 11 00:51:30 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: pgladstone@cisco.com, mcgrew@cisco.com, tls@ietf.org
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2011 20:45:05 -0000

Matt McCutchen wrote:
> 
> On Wed, 2011-07-27 at 20:17 +0200, Martin Rex wrote:
> > Only for Web-Browser scenario can I personally see a very limited
> > value that does not amount to 100% wiretapping.
> > 
> > Are you aware of rfc2804 "IETF Policy on Wiretapping"?
> > 
> >   http://tools.ietf.org/html/rfc2804
> > 
> > Standardizing MITM attacks on TLS-protected communication
> > ("lawful intercept?") seems like an extremely bad idea to me.
> 
> This is not wiretapping as defined in that policy.


I *STRONGLY* disagree.  That is very much about wiretapping and
even goes far beyond that, because it not only reveals the content
of the communication, it also allows the "TLS proxy" to arbitrarily
manipulate the communication in a fashion that might be entirely
concealed to the communication peers at the end.


I am strongly opposed to have any document describing such proxies
published as an RFC!


-Martin