Re: [TLS] access_administratively_disabled v2

Russ Housley <housley@vigilsec.com> Wed, 03 January 2018 16:08 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3D01275F4 for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbO_UFhCiwPq for <tls@ietfa.amsl.com>; Wed, 3 Jan 2018 08:08:02 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BFF4126CD8 for <tls@ietf.org>; Wed, 3 Jan 2018 08:08:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A3E8B3009FF for <tls@ietf.org>; Wed, 3 Jan 2018 11:08:01 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NHgjh3UTbLq8 for <tls@ietf.org>; Wed, 3 Jan 2018 11:08:00 -0500 (EST)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id C6DAE300265; Wed, 3 Jan 2018 11:07:59 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl>
Date: Wed, 3 Jan 2018 11:08:03 -0500
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8FDABBC5-98C2-4353-88B5-FB553C5DE387@vigilsec.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl>
To: =?utf-8?Q?Mateusz_Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mg44b2CPuVxQ-k8dJ4BehtsB9cM>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 16:08:04 -0000

Mateusz:

How do you see IANA controlling which parties get certificates for the access_administratively_disabled.net domain?

Russ

P.S.  If I recall RFC 1034 and 1035 correctly, domain name labels may contain only letters, digits, and hyphen.  Underscore is not allowed.


> On Jan 3, 2018, at 7:48 AM, Mateusz Jończyk <mat.jonczyk@o2.pl> wrote:
> 
> Hello,
> Based on Your feedback (for which I am grateful) I have designed a new version
> of the access_administratively_disabled mechanism.
> 
> 1. One new AlertDescription value should be specified:
> access_administratively_disabled.
> 
> 2. The information why the webpage is blocked is specified at the URL
> https://access_administratively_disabled.net?d=${domain_name} as a simple string.
> 
> 3. Certificates for access_administratively_disabled.net are assigned in a
> non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a
> certificate for access_administratively_disabled.net provided that their
> identity is validated (i.e. in an Extended-Validation way). The list of entities
> that received certificates for this domain would be made public and managed by
> IANA. This way the risk of phishing would be eliminated.
> 
> 4. Any entity that is blocking some websites would redirect traffic for
> access_administratively_disabled.net to their own servers.
> 					
> 5. After getting an access_administratively_disabled warning a browser would
> open https://access_admininistratively_disabled.net?d=${domain_name} , validate
> its certificate and display to the user information: what get blocked, by whom
> and why.
> 
> 6. If https://access_administratively_disabled.net would not have a valid
> certificate, the browser would only display that the website is being blocked,
> without giving any reason.
> 
> 7. IANA or someone else would provide a default
> https://access_administratively_disabled.net service for the public internet.
> 
> This mechanism would provide blocking transparency without affecting security.
> 
> Greetings,
> Mateusz Jończyk
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls