Re: [TLS] Captive portals, "access administratively disabled" and alert messages

Stephen Farrell <> Tue, 02 January 2018 20:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0413D12D7EF for <>; Tue, 2 Jan 2018 12:18:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qU8l83yqUzWb for <>; Tue, 2 Jan 2018 12:18:45 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A808812422F for <>; Tue, 2 Jan 2018 12:18:45 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70B28BE4D; Tue, 2 Jan 2018 20:18:44 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iFOKP8e-vjr9; Tue, 2 Jan 2018 20:18:43 +0000 (GMT)
Received: from [] ( []) by (Postfix) with ESMTPSA id EE5D8BE49; Tue, 2 Jan 2018 20:18:42 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1514924323; bh=KnHTdne8zZBZF9BqP1OKimL/p1QWmuoDf8qphHsfhVk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=UYX6xsghlOGUo0C1mzfLG4wvcgGNI7d5SqBdq40aiSrfIR6qjSVrZUeUCTIQbgSAQ n8kThGcjq3Ttfw00O517yKjJOoz0sTVrn/kAg0+gqJiB3EbrIFeMbTPr7IckRstos5 fI+bth4vIMRzmbbbPUau8Ot9D6a3fAeO3p6fjP+Y=
To: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <>, Eric Rescorla <>
References: <> <> <>
From: Stephen Farrell <>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Message-ID: <>
Date: Tue, 2 Jan 2018 20:18:42 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9HEruOzIMpcmYm3ysW7gg41hGigQygk8G"
Archived-At: <>
Subject: Re: [TLS] Captive portals, "access administratively disabled" and alert messages
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jan 2018 20:18:48 -0000

On 02/01/18 20:08, Mateusz Jończyk wrote:
>> I'm not really enthusiastic about any of these ideas for any of the
>> administratively prohibited
>> use cases because the information being provided to the user is unverifiable.
>> I.e., this
>> just tells you that someone on the network didn't like it, but the message
>> itself is just
>> an assertion (this is different from 451 in that that's provided inside the TLS
>> channel
>> if TLS is used). It's not like, for instance, the browser should display the
>> string to the
>> user as if it were true.
> Then the browser should display a message inside the warning screen that the
> string cannot be trusted. 

There isn't always a browser. I'd say caldav was responsible for
nearly as many cert warnings for me, but I only know that 'cause
I delved into detail to find out. And the same'd be true of any
application that regularly pulls from somewhere. I think that's
another reason to handle this in the capport wg - I'd guess folks
there are more aware of the full range of cases that may need
handling and of how to try interpose the portal web page stuff
before other applications see the n/w as active (or whatever it
is they're doing with HTTP:-).

> This is no less secure then an alternative: a TLS
> certificate error that conveys no message to the user whatsoever.

That's true. OTOH, I'm not sure a different error is any more
secure either.


PGP key change time for me.
New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
NewWithOld sigs in keyservers.
Sorry if that mucks something up;-)