Re: [TLS] draft-green-tls-static-dh-in-tls13-01

Mark Nottingham <mnot@mnot.net> Sun, 16 July 2017 12:51 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9F11317A9 for <tls@ietfa.amsl.com>; Sun, 16 Jul 2017 05:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=kNzz5agx; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=juXJMrzM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cb9ad5otpxd4 for <tls@ietfa.amsl.com>; Sun, 16 Jul 2017 05:51:18 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835C512EBF4 for <tls@ietf.org>; Sun, 16 Jul 2017 05:51:18 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id E4504206F5; Sun, 16 Jul 2017 08:51:17 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Sun, 16 Jul 2017 08:51:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=QQ+CI1h9kUVBVIwL7R Y6FQDh5WYiX51Fv262M1KWqUw=; b=kNzz5agx3alHBqfgx2+KMcqptGn0NYm0NY /LbXhnHYthH5mhWHCMkRqJLH4kLWk8sy0SBLVGXU1/paOKavQ4+mjufwez9yyTfi nRAR0NJ2NsThZbu4dvlcfBW9pqDaFemJtMI5vUD8ABy4gqlUiB5kMDVN2qaRCmyj 8Fb3J/vyBhFuBL5De3Wdv6LD2j7a3qyQIhmA+z0coyzJ4TB7nIR0KY2EvzZO+dMk dSco07czThw6lpDfY27SSyL3aeMIcmioTSpDxAaipWR7VuiM9LjY7UQbcX7xJ7i/ ULjE9e19uF6iQgA6Z+n1w1ffBmjK9yw0N+YShGrj2im2ZD8KoVpw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s= fm1; bh=QQ+CI1h9kUVBVIwL7RY6FQDh5WYiX51Fv262M1KWqUw=; b=juXJMrzM H3kv9TP0vXSYZuMpSqYA14c3Pfd2a5/umw92S/xfN/G1Ipu3xsyw84/7lEPa0FVH R3KGbwAGJgCuEeF1dLzWfoGpHovyEgdlDNSVVFfSOx7Da0x1CoPMeC9H01xvipYa tc5PQfuWTFDSeKIMEIvDecgBkenSOS3Kz5h3voRnapAMZfVR7dBPOxdQfdBFGlrx marcqRgi8uXFqOCHghr2GPvfwNPFp17ZihOGNIQvbMxuM4iIqz5x/b4k+7zNFe1/ NG0KF7g+0Gkg2XCsKOH1xxWzVLWHmCVGMjqEQlPDiBFQ2HjuiTIXsAT2ZsaUuIHH 6M7dEMNNRbdOlw==
X-ME-Sender: <xms:RWFrWRkRDtT2F4lK7IU66kA7Tz0hFcvh5WroOZ-xEix6orEYi8QQlQ>
X-Sasl-enc: 0GJJbkXr8UZyfPnXznHbjIpanJeHP7015+I/aYP6UnPk 1500209477
Received: from dhcp-813f.meeting.ietf.org (dhcp-813f.meeting.ietf.org [31.133.129.63]) by mail.messagingengine.com (Postfix) with ESMTPA id 55A5324131; Sun, 16 Jul 2017 08:51:17 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <00e841d5-7e47-4e21-f13c-9b9f1d24a9ac@zinks.de>
Date: Sun, 16 Jul 2017 14:51:16 +0200
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B6F881F8-D51C-49B2-BC69-D56DB2220028@mnot.net>
References: <CAPCANN-xgf3auqy+pFfL6VO5GpEsCCHYkROAwiB1u=8a4yj+Fg@mail.gmail.com> <CAOjisRxxN9QjCqmDpkBOsEhEc7XCpM9Hk9QSSAO65XDPNegy0w@mail.gmail.com> <CABtrr-XbJMYQ+FTQQiSw2gmDVjnpuhgJb3GTWXvLkNewwuJmUg@mail.gmail.com> <8b502340b84f48e99814ae0f16b6b3ef@usma1ex-dag1mb1.msg.corp.akamai.com> <87o9smrzxh.fsf@fifthhorseman.net> <CAAF6GDc7e4k5ze3JpS3oOWeixDnyg8CK30iBCEZj-GWzZFv_zg@mail.gmail.com> <54cdd1077ba3414bbacd6dc1fcad4327@usma1ex-dag1mb1.msg.corp.akamai.com> <5c725355-18a5-9eb1-4b3e-df18b0767872@zinks.de> <f64eba6d270a439494f6e6ed24da2e9c@usma1ex-dag1mb1.msg.corp.akamai.com> <00e841d5-7e47-4e21-f13c-9b9f1d24a9ac@zinks.de>
To: Roland Zink <roland@zinks.de>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lWaIwf4d_06UQjXef4rVG5LQp5s>
Subject: Re: [TLS] draft-green-tls-static-dh-in-tls13-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 12:51:21 -0000

From a HTTP standpoint, they are the origin (i.e., endpoint). They just happen to use HTTP "behind" them.


> On 15 Jul 2017, at 10:39 pm, Roland Zink <roland@zinks.de> wrote:
> 
> I think reverse proxies are middleboxes regardless if they have official origin TLS certificates. From the TLS viewpoint they may be the endpoint although from the HTTP viewpoint they are not.
> 
> 
> Roland
> 
> 
> 
> Am 15.07.2017 um 22:23 schrieb Salz, Rich:
>>> A cache may be hired by a user, origin or even a network operator to act as a
>>> "front" to the origin. Is it not a middlebox because of this? It is a question of
>>> definition if a CDN is in the middle or the endpoint :)
>> Yes.  And I am saying that the definition doesn't include a CDN as a middlepoint.
>> 
>> Do user-provided reverse proxies have official TLS certificates with a SAN field claiming to be the origin?
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

--
Mark Nottingham   https://www.mnot.net/