Re: [TLS] TLS Proxy Server Extension

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 02 August 2011 13:11 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FDDE21F8ACC for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 06:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.594
X-Spam-Level:
X-Spam-Status: No, score=-3.594 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jw8ok0A6a3xJ for <tls@ietfa.amsl.com>; Tue, 2 Aug 2011 06:11:50 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id CF6A421F8AB8 for <tls@ietf.org>; Tue, 2 Aug 2011 06:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1312290719; x=1343826719; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20thewirelessmacdude@yahoo.com,=20tls@ietf.org |Subject:=20Re:=20[TLS]=20TLS=20Proxy=20Server=20Extensio n|In-Reply-To:=20<1312289460.11772.YahooMailClassic@web11 1723.mail.gq1.yahoo.com>|Message-Id:=20<E1QoElB-0002Uz-It @login01.fos.auckland.ac.nz>|Date:=20Wed,=2003=20Aug=2020 11=2001:11:49=20+1200; bh=WzrHUrOobo6JLn4j7lhP5I72TiYEt5sas+V9y/YPvXI=; b=NJOPH8m5IlEghnHXMJt65KRFeOR+gdlw0KN8ZpAcx6+kpXv/r7yuDYD+ WDuOR9J7obRwOij0vi4GdMqJdquAGDc6WGsHyv9Ln6C2yywv+de2yXhZp jgjp9hs3asHcbN4LaJ0eInEvRI02PEbSDiB5s6snsU2MkAXdYSFSyeBhr 8=;
X-IronPort-AV: E=Sophos;i="4.67,306,1309694400"; d="scan'208";a="75521029"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 03 Aug 2011 01:11:49 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QoElB-0005QU-I9; Wed, 03 Aug 2011 01:11:49 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1QoElB-0002Uz-It; Wed, 03 Aug 2011 01:11:49 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: thewirelessmacdude@yahoo.com, tls@ietf.org
In-Reply-To: <1312289460.11772.YahooMailClassic@web111723.mail.gq1.yahoo.com>
Message-Id: <E1QoElB-0002Uz-It@login01.fos.auckland.ac.nz>
Date: Wed, 03 Aug 2011 01:11:49 +1200
Subject: Re: [TLS] TLS Proxy Server Extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2011 13:11:51 -0000

Ken Peirce <thewirelessmacdude@yahoo.com>; writes:

>TLS is used by people to insure end to end integrity and privacy, usually,
>with PKI. Users are protected from intermediate parties if the system
>architects and TLS management by the controlling application have correctly
>handled the design of the PKI

Exactly.  The whole point of TLS is to provide a secured tunnel from source to
destination, which includes defence against MITMs.  If someone wants to do a
MITM, violating a principal design feature of the protocol, then that's their
problem, and not TLS's.  

>IMHO, this is not a protocol issue. It is a systems engineering exercise in
>trust relationships.

Exactly.  The response to this is "don't do that, then", not "we'll completely
break our protocol to make it do the crazy stuff you want".

(If people really want to deploy MITM boxes, put a wildcard cert on the MITM.
That's how cellphone gateways have been doing it for years).

Peter.