On Tue, Jun 19, 2018 at 4:01 PM, Nico Williams <[email protected]> wrote:
> On Tue, Jun 19, 2018 at 03:51:55PM -0700, Eric Rescorla wrote: > > On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <[email protected]> > wrote: > > > On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote: > > > > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams < > [email protected]> wrote: > > > > > The I-D should say that clients MUST allow local configuration of > what > > > > > domains to accept trust anchors for, and SHOULD allow local policy > to > > > > > list . as a domain for which to accept trust anchors. > > > > > > > > The ID can say that, but as a practical matter, any enterprise that > has > > > > a reasonable number of internal domains is just going to tell people > > > > to configure their client to accept any domain name. > > > > > > And what's the problem with that? > > > > > > If it's your own device you might balk, so get your employer to provide > > > you with theirs. Or just accept it as part of the employment deal. > > > > Again, right now I'm just trying to establish the facts of the matter. > > Do you agree this is going to be a common scenario? > > I don't know what the antecedent of "this" in your question. If you > mean that BYODs will have to accept policies users don't want, well, > that's pretty much true anyways (e.g., you have to accept proxy > configurations that can and _will_ MITM you). > I'm asking if a common scenario will be that users of enterprise VPNs who implement this feature will end up in a situation where the VPN can impose TAs for any domain. As a followup question, I claim that that's not presently true with existing VPNs. In some cases, the VPN requires you to install a new trust anchor in order to accept its cert, but that's not an inherently necessary practice. Separately, an enterprise may require you to accept an MITM cert, but these are conceptually distinct. Do you disagree with that? Are you objecting to the I-D altogether -- objecting to the feature it > adds -- or asking what the I-D should say about your concern? > Again, right now I'm trying to establish the facts of the matter. I'd prefer to do that prior to discussing what is good or bad. -Ekr
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
