Re: [TLS] TLS Proxy Server Extension

David McGrew <mcgrew@cisco.com> Mon, 01 August 2011 14:19 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024BE21F8C57 for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 07:19:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.741
X-Spam-Level:
X-Spam-Status: No, score=-102.741 tagged_above=-999 required=5 tests=[AWL=-0.142, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWy3MqjWNRUW for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 07:19:02 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 5F1BF21F8C4D for <tls@ietf.org>; Mon, 1 Aug 2011 07:19:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=688; q=dns/txt; s=iport; t=1312208349; x=1313417949; h=cc:message-id:from:to:in-reply-to: content-transfer-encoding:mime-version:subject:date: references; bh=eXN9hqYZ0NaZ+0rV0R/YV4wavatTgQOsJ4nji2e3Jq4=; b=jBuJ6qGVkfmQjT13QOA6UOryR+hzvUUzzOWgIiLOeRQpYd5ScPM4+FoQ aEF333Inm9XTTrL7b5KtT2UWYWLNE78Smokd0snnkoKccpgtbGtdh6lJo uyzyW9hyFjTjBMPNnELRVNEc/GI3HnDHvWAFjn2yqP3UNM+JBWdmVF75e o=;
X-IronPort-AV: E=Sophos;i="4.67,300,1309737600"; d="scan'208";a="8446433"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-4.cisco.com with ESMTP; 01 Aug 2011 14:19:08 +0000
Received: from stealth-10-32-254-211.cisco.com (stealth-10-32-254-211.cisco.com [10.32.254.211]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p71EJ7X4023810; Mon, 1 Aug 2011 14:19:07 GMT
Message-Id: <BF3EE45C-68DB-4514-B019-4CA9CEC5C8B9@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <CA5C2B11.4911%ynir@checkpoint.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 1 Aug 2011 07:19:08 -0700
References: <CA5C2B11.4911%ynir@checkpoint.com>
X-Mailer: Apple Mail (2.936)
Cc: Philip Gladstone <pgladstone@cisco.com>, tls@ietf.org
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 14:19:03 -0000

On Aug 1, 2011, at 12:15 AM, Yoav Nir wrote:
>
>
> As for servers, it's possible to change the tls-proxy format in
> ClientHello to have a "role" field that could be either "client" or
> "proxy".

a further thought in this direction.  The server could sign the  
extension that it gets from the proxy, and that signature could be  
returned to the client, along with the data that was signed.  This  
would give the client a strong confirmation that the server was aware  
of the proxy.   From a security standpoint, this is good.  From a  
deployability standpoint, it would require that servers are modified  
to understand the extension, which is not so good.

David