Re: [TLS] TLS Proxy Server Extension
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 02 August 2011 13:11 UTC
Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDDE21F8ACC for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 06:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.594
X-Spam-Level:
X-Spam-Status: No, score=-3.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jw8ok0A6a3xJ for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 06:11:50 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id CF6A421F8AB8 for <tls@ietf.org>; Tue, 2 Aug 2011 06:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1312290719; x=1343826719; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20thewirelessmacdude@yahoo.com,=20tls@ietf.org |Subject:=20Re:=20[TLS]=20TLS=20Proxy=20Server=20Extensio n|In-Reply-To:=20<1312289460.11772.YahooMailClassic@web11 1723.mail.gq1.yahoo.com>|Message-Id:=20<E1QoElB-0002Uz-It @login01.fos.auckland.ac.nz>|Date:=20Wed,=2003=20Aug=2020 11=2001:11:49=20+1200; bh=WzrHUrOobo6JLn4j7lhP5I72TiYEt5sas+V9y/YPvXI=; b=NJOPH8m5IlEghnHXMJt65KRFeOR+gdlw0KN8ZpAcx6+kpXv/r7yuDYD+ WDuOR9J7obRwOij0vi4GdMqJdquAGDc6WGsHyv9Ln6C2yywv+de2yXhZp jgjp9hs3asHcbN4LaJ0eInEvRI02PEbSDiB5s6snsU2MkAXdYSFSyeBhr 8=;
X-IronPort-AV: E=Sophos;i="4.67,306,1309694400"; d="scan'208";a="75521029"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 03 Aug 2011 01:11:49 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QoElB-0005QU-I9; Wed, 03 Aug 2011 01:11:49 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QoElB-0002Uz-It; Wed, 03 Aug 2011 01:11:49 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: thewirelessmacdude@yahoo.com, tls@ietf.org
In-Reply-To: <1312289460.11772.YahooMailClassic@web111723.mail.gq1.yahoo.com>
Message-Id: <E1QoElB-0002Uz-It@login01.fos.auckland.ac.nz>
Date: Wed, 03 Aug 2011 01:11:49 +1200
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 13:11:51 -0000
Ken Peirce <thewirelessmacdude@yahoo.com> writes: >TLS is used by people to insure end to end integrity and privacy, usually, >with PKI. Users are protected from intermediate parties if the system >architects and TLS management by the controlling application have correctly >handled the design of the PKI Exactly. The whole point of TLS is to provide a secured tunnel from source to destination, which includes defence against MITMs. If someone wants to do a MITM, violating a principal design feature of the protocol, then that's their problem, and not TLS's. >IMHO, this is not a protocol issue. It is a systems engineering exercise in >trust relationships. Exactly. The response to this is "don't do that, then", not "we'll completely break our protocol to make it do the crazy stuff you want". (If people really want to deploy MITM boxes, put a wildcard cert on the MITM. That's how cellphone gateways have been doing it for years). Peter.
- [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yngve N. Pettersen
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Adam Langley
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Adam Langley
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- [TLS] Certificate pins vs. MITM proxies Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Marsh Ray
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Anders Rundgren
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Ken Peirce
- Re: [TLS] TLS Proxy Server Extension Peter Gutmann
- Re: [TLS] TLS Proxy Server Extension Matt McCutchen
- Re: [TLS] TLS Proxy Server Extension Martin Rex
- Re: [TLS] TLS Proxy Server Extension Joshua Davies
- Re: [TLS] TLS Proxy Server Extension Yoav Nir
- Re: [TLS] TLS Proxy Server Extension Ken Peirce
- Re: [TLS] TLS Proxy Server Extension Philip Gladstone
- Re: [TLS] TLS Proxy Server Extension Kemp, David P.
- Re: [TLS] TLS Proxy Server Extension David McGrew
- Re: [TLS] TLS Proxy Server Extension Ralph Holz