Re: [TLS] access_administratively_disabled v2

Eric Rescorla <ekr@rtfm.com> Wed, 03 January 2018 16:31 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF53C124D68 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:31:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMiSycG8xEFP for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:31:50 -0800 (PST)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6311C120046 for <tls@ietf.org>; Wed, 3 Jan 2018 08:31:50 -0800 (PST)
Received: by mail-yb0-x22a.google.com with SMTP id q3so786620ybg.9 for <tls@ietf.org>; Wed, 03 Jan 2018 08:31:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tDqCdHOC3YzEGt8ycc4v/3Knp5huOVZLN4qhbOMzKDo=; b=zb8Ca9AtzFifZ2rJAkbpb3Pk4pwekNCrJlaIYEVEQ8z6sCNwrWjGiSJldR8BpP609a VHsraYLCIwBUn+qQ1MVfctDnHMu1I9ogKkXmOu8uhRCJbhaRD9TszxCU6lPEoL1q/vCv E8SBAxH+9dLBJy/7BXRWkHCzH1MuBpYxtvBANRhsk0OI1WeopSXMDq9mlIGwSE52fOn4 898c2vsRD1YHk1ae+gEsFiA+xE/VzzxyPWEyJmZslLnQKpHXLni0st5J+3YMLvOMAI4T mMSPw7/Ai6n9FJP2tq56UvYXtqOhG4NIPfURmUbDInXjhIAfhdK+cQw4YBO0urfAiMse dZFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tDqCdHOC3YzEGt8ycc4v/3Knp5huOVZLN4qhbOMzKDo=; b=YXi4fWBOZUHO0wwmVfCrcX4h7vXJ23giwCMAglrwLnIuuCDO10zBTUCROuP646Tlrl /ChJQLFR31sIVStdJtKv9NoIGmmCVe9Fd/UZdcapuSEiK+9xvFZYdRKy9UGxJWSrtVNV mAyMbZS1c2gr93KZs7cqwvWwtrsIxzL/FSygIoICeEV76NidRwKCi8GwURPS2kQaEn1d JISPgUY77wyRw1Y0dZ1XD85MVosJc3ZSbYx+ctAZIhLR956Ft6ym7MsImQN9Yc1VAMRf NDXXFEqKxYzXpba4zCmEp/gc/sXsRKOSm7SqTM8R1fVBRDPls9Zq3HE9Y0KQMv6cBzVs yRrA==
X-Gm-Message-State: AKGB3mIiALDQRUBcFKHO7+UCbRcy5v7hn3ZX4cVnSUmJCPNyd+SXKBjx +vSD/mUEBGA7Hx42+YeGxYx4VB/yhZ5s5vyuMmJfWA==
X-Google-Smtp-Source: ACJfBosF0zweAqyiLW3Prh/ZfNWcU6Mj3puVqJnPpNhLXMY+/P1yT6jKEuFV/MrrZQhXJjXHEMJc4UObbOpgLfcsr8E=
X-Received: by 10.37.239.17 with SMTP id g17mr1881698ybd.474.1514997109442; Wed, 03 Jan 2018 08:31:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.123.132 with HTTP; Wed, 3 Jan 2018 08:31:08 -0800 (PST)
In-Reply-To: <eb4530ad-2e6e-d5b6-72e7-4f84dae635e3@o2.pl>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com> <3685a850-03ec-5162-414b-c2676022d661@o2.pl> <CABcZeBO0nzmfcA+1ujxceDtNKPGUBZQtBg4-yN-OpOSyEJ3bNg@mail.gmail.com> <eb4530ad-2e6e-d5b6-72e7-4f84dae635e3@o2.pl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 3 Jan 2018 08:31:08 -0800
Message-ID: <CABcZeBP_020ws24USXj-irN5LH02dGJhDXPZCKC=dJ_C=5AS2g@mail.gmail.com>
To: =?UTF-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Lanlan Pan <abbypan@gmail.com>, Ted Lemon <mellon@fugue.com>, JW <jw@pcthink.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="089e08289ed88b5e770561e1c008"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cse2HD0_AB_9dpW5d6vH1y3EvgY>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 16:31:54 -0000

On Wed, Jan 3, 2018 at 8:17 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:

> W dniu 03.01.2018 o 16:28, Eric Rescorla pisze:
> >
> >
> > On Wed, Jan 3, 2018 at 6:45 AM, Mateusz Jończyk <mat.jonczyk@o2.pl
> > <mailto:mat.jonczyk@o2.pl>> wrote:
> >
> >     W dniu 03.01.2018 o 14:19, Eric Rescorla pisze:
> >     > I have several comments:
> >     >
> >     > - This is almost entirely out of scope for TLS, so you should
> start with
> >     > CAPPORT. If they're interested, then we can discuss the code point
> assignment in
> >     > TLS.
> >     >
> >     > - You point #2 would effectively require either changes to the
> browser or CA
> >     > issuance policies (the BRs would prohibit issuing to an entity
> under these
> >     > conditions). I'm not sure that browser manufacturers would be
> excited about
> >     > either set of changes. Resolving this seems like a threshold
> question for this
> >     > proposal.
> >
> >     It could be possible for providers to obtain certifiates for
> subdomains such as
> >     opendns.access_administratively_disabled.net
> >     <http://opendns.access_administratively_disabled.net>. Then the
> server
> >     reachable at
> >     access_administratively_disabled.net
> >     <http://access_administratively_disabled.net> would provide a
> certificate for
> >     opendns.access_administratively_disabled.net
> >     <http://opendns.access_administratively_disabled.net>, which would
> be
> >     incorrect but
> >     browsers would in this special case trust it.
> >
> >
> > Well, this seems like the first arm, in which you change the browser, so
> the
> > question
> > then becomes whether the browsers wish to do so. Are you aware of any
> > browser vendor which is interested?
>
> I'm not exactly sure what You understand by "the first arm".
> Of course it would have to be implemented in browsers, by me or somebody
> else.
> Microsoft may wish to deploy this in their Forefront TMG, so browser
> support in
> Internet Explorer / Edge would follow.
>

My question is whether any browser has indicated interest in doing so.


>     > It seems like there are going to be rather a large number of such
> >     > entities (every Firewall in the world?) so it may not be practical.
> >
> DNS already handles a large number of such entities and it somehow works
> and is
> practical. Having a subdomain of access_administratively_disabled.net
> registered
> would be expensive because a physical validation would have to be followed
> - it
> would probably be no less expensive than EV certificates currently are.
>

It's not a matter of scaling. It's a matter of having this many
certificates that can
all generate an acceptable message undermines the value of the signature
because you now have a distributed single point of failure.

-Ekr


> Greetings,
> Mateusz Jończyk
>
> > -Ekr
> >
> >
> >
> >     [1] http://msdn.microsoft.com/en-us/library/ff827462(v=vs.85).aspx
> >     <http://msdn.microsoft.com/en-us/library/ff827462(v=vs.85).aspx>
> >
> >     Greetings,
> >     Mateusz Jończyk
> >
> >     >
> >     >
> >     >
> >     >
> >     > -Ekr
> >     >
> >     >
> >     >
> >     > On Wed, Jan 3, 2018 at 4:48 AM, Mateusz Jończyk <mat.jonczyk@o2.pl
> <mailto:mat.jonczyk@o2.pl>
> >     > <mailto:mat.jonczyk@o2.pl <mailto:mat.jonczyk@o2.pl>>> wrote:
> >     >
> >     >     Hello,
> >     >     Based on Your feedback (for which I am grateful) I have
> designed a new version
> >     >     of the access_administratively_disabled mechanism.
> >     >
> >     >     1. One new AlertDescription value should be specified:
> >     >     access_administratively_disabled.
> >     >
> >     >     2. The information why the webpage is blocked is specified at
> the URL
> >     >     https://access_administratively_disabled.net?d=${domain_name}
> >     <https://access_administratively_disabled.net?d=${domain_name}>
> >     >     <https://access_administratively_disabled.net?d=${domain_name}
> >     <https://access_administratively_disabled.net?d=${domain_name}>> as
> a simple
> >     >     string.
> >     >
> >     >     3. Certificates for access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>
> >     >     <http://access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>> are assigned in a
> >     >     non-usual way: any big entity that blocks websites (e.g.
> OpenDNS) may get a
> >     >     certificate for access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>
> >     >     <http://access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>> provided that their
> >     >     identity is validated (i.e. in an Extended-Validation way).
> The list of entities
> >     >     that received certificates for this domain would be made
> public and managed by
> >     >     IANA. This way the risk of phishing would be eliminated.
> >     >
> >     >     4. Any entity that is blocking some websites would redirect
> traffic for
> >     >     access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>
> >     >     <http://access_administratively_disabled.net
> >     <http://access_administratively_disabled.net>> to their own servers.
> >     >
> >     >     5. After getting an access_administratively_disabled warning
> a browser
> >     would
> >     >     open https://access_admininistratively_disabled.
> net?d=${domain_name}
> >     <https://access_admininistratively_disabled.net?d=${domain_name}>
> >     >     <https://access_admininistratively_disabled.
> net?d=${domain_name}
> >     <https://access_admininistratively_disabled.net?d=${domain_name}>>
> , validate
> >     >     its certificate and display to the user information: what get
> blocked,
> >     by whom
> >     >     and why.
> >     >
> >     >     6. If https://access_administratively_disabled.net
> >     <https://access_administratively_disabled.net>
> >     >     <https://access_administratively_disabled.net
> >     <https://access_administratively_disabled.net>> would not have a
> valid
> >     >     certificate, the browser would only display that the website
> is being
> >     blocked,
> >     >     without giving any reason.
> >     >
> >     >     7. IANA or someone else would provide a default
> >     >     https://access_administratively_disabled.net
> >     <https://access_administratively_disabled.net>
> >     >     <https://access_administratively_disabled.net
> >     <https://access_administratively_disabled.net>> service for the
> public internet.
> >     >
> >     >     This mechanism would provide blocking transparency without
> affecting
> >     security.
> >     >
> >     >     Greetings,
> >     >     Mateusz Jończyk
> >     >
> >     >
> >
> >
>
>