[TLS] access_administratively_disabled v2
Mateusz Jończyk <mat.jonczyk@o2.pl> Wed, 03 January 2018 12:48 UTC
Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EB2127023 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 04:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68ssXbaWFufd for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 04:48:41 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7420126579 for <tls@ietf.org>; Wed, 3 Jan 2018 04:48:40 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 19765 invoked from network); 3 Jan 2018 13:48:38 +0100
Received: from ceh60.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.30.183.60]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <stephen.farrell@cs.tcd.ie>; 3 Jan 2018 13:48:38 +0100
To: tls@ietf.org
From: Mateusz Jończyk <mat.jonczyk@o2.pl>
X-Enigmail-Draft-Status: N1110
Message-ID: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl>
Date: Wed, 03 Jan 2018 13:48:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-WP-MailID: 1a286d6b68bd08d39a3ac81a9461433c
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [cbPE]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b2czL4pBhn8wHNHdx6L1DWTYMC8>
Subject: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 12:48:43 -0000
Hello, Based on Your feedback (for which I am grateful) I have designed a new version of the access_administratively_disabled mechanism. 1. One new AlertDescription value should be specified: access_administratively_disabled. 2. The information why the webpage is blocked is specified at the URL https://access_administratively_disabled.net?d=${domain_name} as a simple string. 3. Certificates for access_administratively_disabled.net are assigned in a non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a certificate for access_administratively_disabled.net provided that their identity is validated (i.e. in an Extended-Validation way). The list of entities that received certificates for this domain would be made public and managed by IANA. This way the risk of phishing would be eliminated. 4. Any entity that is blocking some websites would redirect traffic for access_administratively_disabled.net to their own servers. 5. After getting an access_administratively_disabled warning a browser would open https://access_admininistratively_disabled.net?d=${domain_name} , validate its certificate and display to the user information: what get blocked, by whom and why. 6. If https://access_administratively_disabled.net would not have a valid certificate, the browser would only display that the website is being blocked, without giving any reason. 7. IANA or someone else would provide a default https://access_administratively_disabled.net service for the public internet. This mechanism would provide blocking transparency without affecting security. Greetings, Mateusz Jończyk
- [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Russ Housley
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Benjamin Kaduk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Salz, Rich
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Salz, Rich
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Stephen Farrell
- Re: [TLS] access_administratively_disabled v2 Eric Rescorla
- Re: [TLS] access_administratively_disabled v2 Mateusz Jończyk
- Re: [TLS] access_administratively_disabled v2 Martin Thomson
- Re: [TLS] access_administratively_disabled v2 Sean Turner