Re: [TLS] access_administratively_disabled v2

"Salz, Rich" <rsalz@akamai.com> Thu, 04 January 2018 15:00 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A728912D876 for <tls@ietfa.amsl.com>; Thu, 4 Jan 2018 07:00:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTE8X2hkWVGS for <tls@ietfa.amsl.com>; Thu, 4 Jan 2018 07:00:24 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D829E1201F8 for <tls@ietf.org>; Thu, 4 Jan 2018 07:00:24 -0800 (PST)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id w04EuJCu018914; Thu, 4 Jan 2018 15:00:23 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=5CfwUN6pft6KxmJALTh+deeyiFQkCpO5BI+NKD78veY=; b=aVLQCh1n656i+if+lB6vITaDaYtichZJmwIWSfDuMrWMzMdfiJVF8GzZf2E08E5jNSLB VU+Ihd1QODEV9wB7BIrgkpbgU4ySBliwhKjX/rYllV195oU4QA2nLdYdStXwQN3/LH5g VFrBCi/voH0gUlIu+JEUmlt+ZiB+XD9Yv0HFySQqYRvhcPaH5OWAvHxm1UyG5B7Sgx1w a7cEoPvamPXZGXNULoel21XcwVCj51Z4PQLWuXCEz8AQBjDkl4NfCMtsHNdSSuJMxLNr jeo2k/lvoCCoTxGmzE2pBuKdl3Oz9oUwh9pK3s8qfbB0FPUV9yqklDDtEWG1hy3nqkAi ew==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050095.ppops.net-00190b01. with ESMTP id 2f6377ebnu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 04 Jan 2018 15:00:22 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w04Ex7Lh022922; Thu, 4 Jan 2018 10:00:21 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 2f9pej812d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 04 Jan 2018 10:00:20 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag3mb1.msg.corp.akamai.com (172.27.123.60) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 4 Jan 2018 10:00:20 -0500
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Thu, 4 Jan 2018 10:00:20 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: =?utf-8?B?TWF0ZXVzeiBKb8WEY3p5aw==?= <mat.jonczyk@o2.pl>, "Kaduk, Ben" <bkaduk@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] access_administratively_disabled v2
Thread-Index: AQHThJE18kfuuXwokkOCgTG+nMQX5aNidYcAgAAYEACAAAwugIAADZcAgAANeACAAShWAIAAIjMAgAAMOACAAAOIAIAAFO0A
Date: Thu, 4 Jan 2018 15:00:19 +0000
Message-ID: <1CF1CE13-8015-4A69-9303-BEC0BF7C4860@akamai.com>
References: <60555d44-340d-8aa7-eb45-3a23b758e5d2@o2.pl> <CABcZeBN=JHV3gY_JCkCUHHASEqcUQTUmmpRY5i66Dv53k=Z3Ag@mail.gmail.com> <3685a850-03ec-5162-414b-c2676022d661@o2.pl> <CABcZeBO0nzmfcA+1ujxceDtNKPGUBZQtBg4-yN-OpOSyEJ3bNg@mail.gmail.com> <eb4530ad-2e6e-d5b6-72e7-4f84dae635e3@o2.pl> <5afdbc7f-30bb-4de2-6a72-588b8edc55d8@akamai.com> <235782bf-c26b-12c4-391a-26b654a8b9af@o2.pl> <8360a74c-7e8f-b23d-2bf8-879cb0d5c895@o2.pl> <495C6A3F-D05A-432F-924E-B75D7754F10D@akamai.com> <a4800b5a-59e1-8ab0-7418-d47b9ca5283c@o2.pl>
In-Reply-To: <a4800b5a-59e1-8ab0-7418-d47b9ca5283c@o2.pl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.36.151]
Content-Type: text/plain; charset="utf-8"
Content-ID: <63ECFAE79005BB4793F39B35A1E93D44@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-04_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=938 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801040206
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-04_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=869 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801040207
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z9_pRvcwVryN42lGDUck2zx02Zo>
Subject: Re: [TLS] access_administratively_disabled v2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2018 15:00:27 -0000

>    Yes, at least in corporate environments, parental control solutions, etc.
    This will give a more understandable message to the user.
  

But as others have pointed out, the alert is not signed by the target origin.  So anyone along the path can inject this alert.  So browsers cannot trust it, and they certainly cannot display any possible text associated with it.

How can you distinguish valid and proper use, from not valid and improper use including DoS?  Without that algorithm specified, I doubt any browser would implement this.  (And IMO I doubt they will do so anyway.)