Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00

Paul Turner <> Thu, 19 October 2017 15:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEC54134932 for <>; Thu, 19 Oct 2017 08:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.292
X-Spam-Status: No, score=0.292 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jRlNRehG-Yfm for <>; Thu, 19 Oct 2017 08:06:41 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 30AE9134939 for <>; Thu, 19 Oct 2017 08:06:40 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1034.26; Thu, 19 Oct 2017 09:06:38 -0600
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1034.26; Thu, 19 Oct 2017 09:06:37 -0600
Received: from ([fe80::e9c4:73d1:e66e:cff6]) by ([fe80::e9c4:73d1:e66e:cff6%12]) with mapi id 15.01.1034.026; Thu, 19 Oct 2017 09:06:37 -0600
From: Paul Turner <>
To: "Salz, Rich" <>, "" <>
Thread-Topic: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
Date: Thu, 19 Oct 2017 15:06:37 +0000
Message-ID: <>
References: <> <> <> <> <000501d348e5$1f273450$5d759cf0$> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [TLS] Publication of draft-rhrd-tls-tls13-visibility-00
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Oct 2017 15:06:42 -0000

> With this extension, any middlebox anywhere can drop traffic that is not
> tappable.  Regardless of who controls the clients and servers, we are now
> enabling entities to block traffic unless you acquiesce. For example, an inflight
> wifi could use this.  Maybe, ultimately, many/most of the servers that the
> passengers connect to will not support it, but some might.

Can't any middlebox block traffic today if the client doesn't agree to trust its CA? If a middlebox drops traffic because the extension was not included, there will be no indication to the client that it was dropped because they didn't include the extension. If the middlebox does display a page back to the client saying "You have to turn on TLS-Visibility so that we can we can look at traffic for a server that we have control over but don't want to get the data from this directly.", how is that different than "You have to trust our CA in order to communicate with this server so we can route you through our reverse proxy. Please download our CA root from the following location and install it."?

The second seems much easier in terms of scenarios 2 and 3 from my previous message.