Re: [TLS] TLS Proxy Server Extension

Marsh Ray <marsh@extendedsubset.com> Mon, 01 August 2011 15:28 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACDF211E80DF for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNXP26hBW34d for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id 38B5911E8094 for <tls@ietf.org>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1QnuPa-000J6I-Ek; Mon, 01 Aug 2011 15:28:10 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 02CDF606E; Mon, 1 Aug 2011 15:28:07 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+IDJ+5KrcLfHk1eLmhIZ0OXhO6bablovw=
Message-ID: <4E36C607.4040504@extendedsubset.com>
Date: Mon, 01 Aug 2011 10:28:07 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CA5C9A22.4981%ynir@checkpoint.com>
In-Reply-To: <CA5C9A22.4981%ynir@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Philip Gladstone <pgladstone@cisco.com>, David McGrew <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 15:28:05 -0000

On 08/01/2011 10:08 AM, Yoav Nir wrote:
>
> I'm also thinking about whether we can get client certificates to work.
> The hard problem is that Certificate Verify signs the handshake messages,
> and those are not available to the client. I don't think we want to send
> all the previous handshake messages in the extension, so getting this to
> work would also require a server-side change.

You could just send the MD5/SHA-1/SHA-256 hashes of the messages, which 
is what the client cert signs.

Of course, this amounts to the client being willing to sign basically 
anything for the proxy, carte blanche. If the client's cert were valid 
for other things such as serving TLS or code signing that could 
represent a significant escalation of privilege.

- Marsh