Re: [TLS] access_administratively_disabled v2

Mateusz Jończyk <mat.jonczyk@o2.pl> Wed, 03 January 2018 14:45 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5589B126B7F for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 06:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOLdsFbBUjVe for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 06:45:14 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325DF1205D3 for <tls@ietf.org>; Wed, 3 Jan 2018 06:45:14 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 31499 invoked from network); 3 Jan 2018 15:45:11 +0100
Received: from agsa196.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[217.99.78.196]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <stephen.farrell@cs.tcd.ie>; 3 Jan 2018 15:45:11 +0100
To: Eric Rescorla <ekr@rtfm.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, abbypan@gmail.com, Ted Lemon <mellon@fugue.com>, JW <jw@pcthink.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
X-Enigmail-Draft-Status: N1110
Message-ID: <3685a850-03ec-5162-414b-c2676022d661@o2.pl>
Date: Wed, 3 Jan 2018 15:45:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-WP-MailID: 690e656efd6b635687d9134f7f052f7d
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [wTO0]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/V6Hs5sDffacWRdejU6FD162tnbU>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 14:45:16 -0000

W dniu 03.01.2018 o 14:19, Eric Rescorla pisze:
> I have several comments:
> 
> - This is almost entirely out of scope for TLS, so you should start with
> CAPPORT. If they're interested, then we can discuss the code point assignment in
> TLS.
> 
> - You point #2 would effectively require either changes to the browser or CA
> issuance policies (the BRs would prohibit issuing to an entity under these
> conditions). I'm not sure that browser manufacturers would be excited about
> either set of changes. Resolving this seems like a threshold question for this
> proposal.

It could be possible for providers to obtain certifiates for subdomains such as
opendns.access_administratively_disabled.net. Then the server reachable at
access_administratively_disabled.net would provide a certificate for
opendns.access_administratively_disabled.net, which would be incorrect but
browsers would in this special case trust it.

> It seems like there are going to be rather a large number of such
> entities (every Firewall in the world?) so it may not be practical.

Firewall and blocking list providers would deploy their own
access_administratively_disabled.net servers. For example, Microsoft is
providing their own filtering solution (which is called Microsoft Forefront
Threat Management Gateway) [1] and it could deploy one
access_administratively_disabled.net server globally.

[1] http://msdn.microsoft.com/en-us/library/ff827462(v=vs.85).aspx

Greetings,
Mateusz Jończyk

> 
> 
> 
> 
> -Ekr
> 
> 
> 
> On Wed, Jan 3, 2018 at 4:48 AM, Mateusz Jończyk <mat.jonczyk@o2.pl
> <mailto:mat.jonczyk@o2.pl>> wrote:
> 
>     Hello,
>     Based on Your feedback (for which I am grateful) I have designed a new version
>     of the access_administratively_disabled mechanism.
> 
>     1. One new AlertDescription value should be specified:
>     access_administratively_disabled.
> 
>     2. The information why the webpage is blocked is specified at the URL
>     https://access_administratively_disabled.net?d=${domain_name}
>     <https://access_administratively_disabled.net?d=${domain_name}> as a simple
>     string.
> 
>     3. Certificates for access_administratively_disabled.net
>     <http://access_administratively_disabled.net> are assigned in a
>     non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a
>     certificate for access_administratively_disabled.net
>     <http://access_administratively_disabled.net> provided that their
>     identity is validated (i.e. in an Extended-Validation way). The list of entities
>     that received certificates for this domain would be made public and managed by
>     IANA. This way the risk of phishing would be eliminated.
> 
>     4. Any entity that is blocking some websites would redirect traffic for
>     access_administratively_disabled.net
>     <http://access_administratively_disabled.net> to their own servers.
> 
>     5. After getting an access_administratively_disabled warning a browser would
>     open https://access_admininistratively_disabled.net?d=${domain_name}
>     <https://access_admininistratively_disabled.net?d=${domain_name}> , validate
>     its certificate and display to the user information: what get blocked, by whom
>     and why.
> 
>     6. If https://access_administratively_disabled.net
>     <https://access_administratively_disabled.net> would not have a valid
>     certificate, the browser would only display that the website is being blocked,
>     without giving any reason.
> 
>     7. IANA or someone else would provide a default
>     https://access_administratively_disabled.net
>     <https://access_administratively_disabled.net> service for the public internet.
> 
>     This mechanism would provide blocking transparency without affecting security.
> 
>     Greetings,
>     Mateusz Jończyk
> 
>