Hi Toby, Many thanks for your comments. Please see responses inline.
On Jun 11, 2020, at 2:45 AM, Tobias Mayer (tmayer) <[email protected]<mailto:[email protected]>> wrote: Hi Eric, Some minor comments on the draft: 4.2 Are we making a difference in a TLS Session client hello really initiated as a new client hello by the proxy on the server side or if , like some proxies might do, the client hello from the client side is modified and forwarded? According to the text it looks like we are assuming that the proxy MUST always initiate its own session? 4.4 See comment on 4.2 The proxy MUST always initiate a new session and create its own ClientHello. The ClientHello may follow the original one such as proposing the same cipher suites, but it must use its own key materials. In that sense, it is always a fresh-created ClientHello. There were some proxy behaviors that attempted to reuse the original ClientHello. We think that must be strongly prohibited given the security risks (and technically impossible with forward secrecy). That’s also one of the reasons for this document. 4.8 typo: "updateble""-> updatable” Thanks, corrected. 5.3 2nd paragraph. Maybe add a note that this out-of-band handshake is also giving back visibility into the certificate with TLS 1.3? Would be good to point this out. Good point. Will add that part. Best, -Eric Toby From: OPSEC <[email protected]<mailto:[email protected]>> on behalf of "Eric Wang (ejwang)" <[email protected]<mailto:[email protected]>> Date: Friday, 5. June 2020 at 03:30 To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: Roelof Du Toit <[email protected]<mailto:[email protected]>>, Andrew Ossipov <[email protected]<mailto:[email protected]>> Subject: [OPSEC] Fwd: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt Dear OPSEC participants, We published a new revision of the TLS-proxy best practice draft for the WG review. The title was updated with “opsec” based on Ron’s suggestion. It replaces the previous file and contains the same updates to address early comments from Eric R., Tobias Mayer and others. We would like to thank those reviewers and appreciate more comments and feedback on the draft! Best, -Eric (on behalf of the authors) Begin forwarded message: From: <[email protected]<mailto:[email protected]>> Subject: New Version Notification for draft-wang-opsec-tls-proxy-bp-00.txt Date: June 4, 2020 at 2:59:38 PM PDT To: Eric Wang <[email protected]<mailto:[email protected]>>, Roelof DuToit <[email protected]<mailto:[email protected]>>, Andrew Ossipov <[email protected]<mailto:[email protected]>> A new version of I-D, draft-wang-opsec-tls-proxy-bp-00.txt has been successfully submitted by Eric Wang and posted to the IETF repository. Name: draft-wang-opsec-tls-proxy-bp Revision: 00 Title: TLS Proxy Best Practice Document date: 2020-06-03 Group: Individual Submission Pages: 16 URL: https://www.ietf.org/internet-drafts/draft-wang-opsec-tls-proxy-bp-00.txt Status: https://datatracker.ietf.org/doc/draft-wang-opsec-tls-proxy-bp/ Htmlized: https://tools.ietf.org/html/draft-wang-opsec-tls-proxy-bp-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-wang-opsec-tls-proxy-bp Abstract: TLS proxies are widely deployed by organizations to enable security features and apply enterprise policies. This document defines a TLS proxy and discusses a wide range of security requirements to guide TLS proxy implementations. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>. The IETF Secretariat _______________________________________________ OPSEC mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/opsec
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
