Re: [TLS] TLS Proxy Server Extension

David McGrew <> Wed, 03 August 2011 21:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F84A21F8581 for <>; Wed, 3 Aug 2011 14:36:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.71
X-Spam-Status: No, score=-102.71 tagged_above=-999 required=5 tests=[AWL=-0.111, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n-+RtE3OUbrj for <>; Wed, 3 Aug 2011 14:36:17 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6BEAD21F857D for <>; Wed, 3 Aug 2011 14:36:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=2995; q=dns/txt; s=iport; t=1312407390; x=1313616990; h=cc:message-id:from:to:in-reply-to: content-transfer-encoding:mime-version:subject:date: references; bh=jN2QXy8gXDdvJ4QfQbxlYgqcKGG8YMr1tzJjTZ8WMqI=; b=YFxSvZFtiinURxnPOjaipKlWE/IIyS3XRVahNx++9AtXqprSURJKanIW cm9uPAZFa2Yjp1/QVBLhuSVEm8iQgNvv0NGP+cdNTKCMNURqx3ADvLpKH L5La7crJVOZ/16xLN4E/3HZlT6Ej+FyuQaE8o8zFOxtvWve/TOxifzQUN Y=;
X-IronPort-AV: E=Sophos;i="4.67,312,1309737600"; d="scan'208";a="9421431"
Received: from ([]) by with ESMTP; 03 Aug 2011 21:36:30 +0000
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id p73LaSWS002092; Wed, 3 Aug 2011 21:36:29 GMT
Message-Id: <>
From: David McGrew <>
To: "Kemp, David P." <>
In-Reply-To: <>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 3 Aug 2011 14:36:27 -0700
References: <> <> <>
X-Mailer: Apple Mail (2.936)
Subject: Re: [TLS] TLS Proxy Server Extension
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Aug 2011 21:36:18 -0000

On Aug 3, 2011, at 1:55 PM, Kemp, David P. wrote:

> From: David McGrew
>> On Aug 1, 2011, at 9:15 AM, Martin Rex wrote:
>>> If the proxy terminates the clients
>>> TLS connection and establishes a new connection to the real server,
>>> then it will have to impersonate the real server to the client
>> No, that's not right, at least not if "impersonate" is meant in the
>> cryptographic sense.   If "impersonate" is meant in the sense that a
>> proxy can modify the traffic passing through it, then yes, that is a
>> goal for the system; it is a requirement if TLS is to be used to
>> protect communications when an HTTP proxy is present (for many types
>> of proxies).
> A TLS connection between S and C provides integrity protection  
> (which by
> definition is impossible without authentication): C knows that data it
> receives is identical to that sent by S.
> How do you propose to define roles that extend integrity properties  
> to a
> three-party protocol?  C must know that data it receives from S is  
> sent
> by S, with no insertions or deletions.  And that data it receives  
> from P
> was sent by P with no insertions or deletions.  "Modifying" traffic is
> fundamentally incompatible with data integrity - the concept is
> meaningless.  There must be either two independent unmodifiable data
> streams between C and S and between C and P, or there must be a single
> stream between C and P, where C trusts P to be the data provider  
> without
> knowing or caring where P got the data in the first place.  That is  
> what
> is meant by impersonation.
> In an application protocol it would be appropriate to tag sections of
> data that have different properties and originated from different
> sources - think chat room, or a portion-marked word document.  TLS
> claims to protect an application-independent data stream - I have no
> idea how you define semantics of a 3-party "session" without becoming
> application-specific.
> Dave

The idea of authentication in which two or more parties are trusted to  
create authentication tags or signatures occurs in both crypto theory  
(group signatures and threshold signatures, for instance) and crypto  
standards (such as group authentication as defined in RFC 3740 and  
used in RFC 5374).  Security models in which one party can modify data  
created by another can be sound and consistent, but of course we need  
to be careful about definitions, as you are pointing out.  (As an  
extreme example, data aggregation in sensor networks allow many  
different senders to affect a single piece of data.)

It would be most correct to describe the goals of the draft as  
establishing a pair of confidential and authenticated data streams  
between C/P and P/S, while having a three-party entitiy  
authentication.   I think a good way to describe the goal would be:  
multiparty entity authentication with pairwise key establishment.