Hi Eric,
Some minor comments on the draft: 4.2 Are we making a difference in a TLS Session client hello really initiated as a new client hello by the proxy on the server side or if , like some proxies might do, the client hello from the client side is modified and forwarded? According to the text it looks like we are assuming that the proxy MUST always initiate its own session? 4.4 See comment on 4.2 4.8 typo: "updateble""-> updatable" 5.3 2nd paragraph. Maybe add a note that this out-of-band handshake is also giving back visibility into the certificate with TLS 1.3? Would be good to point this out. Toby From: OPSEC <[email protected]> on behalf of "Eric Wang (ejwang)" <[email protected]> Date: Friday, 5. June 2020 at 03:30 To: "[email protected]" <[email protected]> Cc: Roelof Du Toit <[email protected]>, Andrew Ossipov <[email protected]> Subject: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt Dear OPSEC participants, We published a new revision of the TLS-proxy best practice draft for the WG review. The title was updated with “opsec” based on Ron’s suggestion. It replaces the previous file and contains the same updates to address early comments from Eric R., Tobias Mayer and others. We would like to thank those reviewers and appreciate more comments and feedback on the draft! Best, -Eric (on behalf of the authors) Begin forwarded message: From: <[email protected]> Subject: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt Date: June 4, 2020 at 2:59:38 PM PDT To: Eric Wang <[email protected]>, Roelof DuToit <[email protected]>, Andrew Ossipov <[email protected]> A new version of I-D, draft-wang-opsec-tls-proxy-bp-00.txt has been successfully submitted by Eric Wang and posted to the IETF repository. Name: draft-wang-opsec-tls-proxy-bp Revision: 00 Title: TLS Proxy Best Practice Document date: 2020-06-03 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/internet-drafts/draft-wang-opsec-tls-proxy-bp-00.txt Status: https://datatracker.ietf.org/doc/draft-wang-opsec-tls-proxy-bp/ Htmlized: https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-wang-opsec-tls-proxy-bp Abstract: TLS proxies are widely deployed by organizations to enable security features and apply enterprise policies. This document defines a TLS proxy and discusses a wide range of security requirements to guide TLS proxy implementations. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
