Re: [TLS] access_administratively_disabled v2
Mateusz Jończyk <mat.jonczyk@o2.pl> Wed, 03 January 2018 16:54 UTC
Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D750124D68 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:54:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDDCuy4SLJjH for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:54:00 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCCF1241F5 for <tls@ietf.org>; Wed, 3 Jan 2018 08:54:00 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 15267 invoked from network); 3 Jan 2018 17:53:58 +0100
Received: from agsa196.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[217.99.78.196]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <tls@ietf.org>; 3 Jan 2018 17:53:58 +0100
To: Russ Housley <housley@vigilsec.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <8FDABBC5-98C2-4353-88B5-FB553C5DE387@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>
From: Mateusz Jończyk <mat.jonczyk@o2.pl>
X-Enigmail-Draft-Status: N1110
Message-ID: <f6f20d06-d04c-44c3-4efb-4aff408c5421@o2.pl>
Date: Wed, 03 Jan 2018 17:53:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <8FDABBC5-98C2-4353-88B5-FB553C5DE387@vigilsec.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-WP-MailID: 4db3ecbdc5024abb5960953901c725d4
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [QbOU]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YCPhV9lF6Q40_0-qTMPxragjZo0>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 16:54:02 -0000
W dniu 03.01.2018 o 17:08, Russ Housley pisze: > Mateusz: > > How do you see IANA controlling which parties get certificates for the access_administratively_disabled.net domain? IANA is just an example, there could be some other provider controlling the access_administratively_disabled.net domain - possibly even OpenDNS. Subdomains [1] would be given out just like EV certificates are today - only proof of identity (and of payment) would be required. > > Russ > > P.S. If I recall RFC 1034 and 1035 correctly, domain name labels may contain only letters, digits, and hyphen. Underscore is not allowed. Yup, I also thought so. access_administratively_disabled.net is only a placeholder, the final domain name would be different. Greetings, Mateusz [1] For a slight modification of the proposal, see https://www.ietf.org/mail-archive/web/tls/current/msg25226.html > >> On Jan 3, 2018, at 7:48 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote: >> >> Hello, >> Based on Your feedback (for which I am grateful) I have designed a new version >> of the access_administratively_disabled mechanism. >> >> 1. One new AlertDescription value should be specified: >> access_administratively_disabled. >> >> 2. The information why the webpage is blocked is specified at the URL >> https://access_administratively_disabled.net?d=${domain_name} as a simple string. >> >> 3. Certificates for access_administratively_disabled.net are assigned in a >> non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a >> certificate for access_administratively_disabled.net provided that their >> identity is validated (i.e. in an Extended-Validation way). The list of entities >> that received certificates for this domain would be made public and managed by >> IANA. This way the risk of phishing would be eliminated. >> >> 4. Any entity that is blocking some websites would redirect traffic for >> access_administratively_disabled.net to their own servers. >> >> 5. After getting an access_administratively_disabled warning a browser would >> open https://access_admininistratively_disabled.net?d=${domain_name} , validate >> its certificate and display to the user information: what get blocked, by whom >> and why. >> >> 6. If https://access_administratively_disabled.net would not have a valid >> certificate, the browser would only display that the website is being blocked, >> without giving any reason. >> >> 7. IANA or someone else would provide a default >> https://access_administratively_disabled.net service for the public internet. >> >> This mechanism would provide blocking transparency without affecting security. >> >> Greetings, >> Mateusz Jończyk >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Russ Housley
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Benjamin Kaduk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Salz, Rich
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Salz, Rich
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Stephen Farrell
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Martin Thomson
- Re: [TLS] access_administratively_disabled v2 Sean Turner