Re: [TLS] TLS Proxy Server Extension
Marsh Ray <marsh@extendedsubset.com> Mon, 01 August 2011 15:28 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACDF211E80DF for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNXP26hBW34d for <tls@ietfa.amsl.com>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-04-ewr.mailhop.org [204.13.248.74]) by ietfa.amsl.com (Postfix) with ESMTP id 38B5911E8094 for <tls@ietf.org>; Mon, 1 Aug 2011 08:28:05 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1QnuPa-000J6I-Ek; Mon, 01 Aug 2011 15:28:10 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 02CDF606E; Mon, 1 Aug 2011 15:28:07 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+IDJ+5KrcLfHk1eLmhIZ0OXhO6bablovw=
Message-ID: <4E36C607.4040504@extendedsubset.com>
Date: Mon, 01 Aug 2011 10:28:07 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CA5C9A22.4981%ynir@checkpoint.com>
In-Reply-To: <CA5C9A22.4981%ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Philip Gladstone <pgladstone@cisco.com>, David McGrew <mcgrew@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 15:28:05 -0000
On 08/01/2011 10:08 AM, Yoav Nir wrote: > > I'm also thinking about whether we can get client certificates to work. > The hard problem is that Certificate Verify signs the handshake messages, > and those are not available to the client. I don't think we want to send > all the previous handshake messages in the extension, so getting this to > work would also require a server-side change. You could just send the MD5/SHA-1/SHA-256 hashes of the messages, which is what the client cert signs. Of course, this amounts to the client being willing to sign basically anything for the proxy, carte blanche. If the client's cert were valid for other things such as serving TLS or code signing that could represent a significant escalation of privilege. - Marsh
- [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yngve N. Pettersen
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Adam Langley
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Adam Langley
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- [TLS] Certificate pins vs. MITM proxies Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Anders Rundgren
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Ken Peirce
- Re: [TLS] TLS Proxy Server Extension Peter Gutmann
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Joshua Davies
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Ken Peirce
- Re: [TLS] TLS Proxy Server Extension Philip Gladstone
- Re: [TLS] TLS Proxy Server Extension Kemp, David P.
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Ralph Holz