[TLS] access_administratively_disabled v2

Mateusz Jończyk <mat.jonczyk@o2.pl> Wed, 03 January 2018 12:48 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 38EB2127023 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 04:48:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 68ssXbaWFufd for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 04:48:41 -0800 (PST)
Received: from mx-out.tlen.pl (mx-out.tlen.pl []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7420126579 for <tls@ietf.org>; Wed, 3 Jan 2018 04:48:40 -0800 (PST)
Received: (wp-smtpd smtp.tlen.pl 19765 invoked from network); 3 Jan 2018 13:48:38 +0100
Received: from ceh60.neoplus.adsl.tpnet.pl (HELO []) (mat.jonczyk@o2.pl@[]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-SHA encrypted SMTP for <stephen.farrell@cs.tcd.ie>; 3 Jan 2018 13:48:38 +0100
To: tls@ietf.org
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
X-Enigmail-Draft-Status: N1110
Message-ID: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl>
Date: Wed, 3 Jan 2018 13:48:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-WP-MailID: 1a286d6b68bd08d39a3ac81a9461433c
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [cbPE]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/b2czL4pBhn8wHNHdx6L1DWTYMC8>
Subject: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 12:48:43 -0000

Based on Your feedback (for which I am grateful) I have designed a new version
of the access_administratively_disabled mechanism.

1. One new AlertDescription value should be specified:

2. The information why the webpage is blocked is specified at the URL
https://access_administratively_disabled.net?d=${domain_name} as a simple string.

3. Certificates for access_administratively_disabled.net are assigned in a
non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a
certificate for access_administratively_disabled.net provided that their
identity is validated (i.e. in an Extended-Validation way). The list of entities
that received certificates for this domain would be made public and managed by
IANA. This way the risk of phishing would be eliminated.

4. Any entity that is blocking some websites would redirect traffic for
access_administratively_disabled.net to their own servers.
5. After getting an access_administratively_disabled warning a browser would
open https://access_admininistratively_disabled.net?d=${domain_name} , validate
its certificate and display to the user information: what get blocked, by whom
and why.

6. If https://access_administratively_disabled.net would not have a valid
certificate, the browser would only display that the website is being blocked,
without giving any reason.

7. IANA or someone else would provide a default
https://access_administratively_disabled.net service for the public internet.

This mechanism would provide blocking transparency without affecting security.

Mateusz Jończyk