On Wed 2017-08-09 22:54:46 -0700, Tony Arcieri wrote: > - The gateway authenticates clients (using e.g. a TLS client certificate) > and authorizes the outbound hostnames against an ACL. This way we can > control which clients are allowed to reach which external endpoints.
While i think i understand where you're coming from, Tony, i can't help
but note that this use case is difficult to distinguish from a regime
that:
(a) wants to forbid anonymous speech, and
(b) wants to censor "unapproved" information sources, and
(c) wants the capacity to undermine freedom of association.
That makes me wary, and i hope that SNI Encryption is *not* conflated
with these particular use cases.
In particular, the requirement of user identification/authentication in
combination with a heavily constrained network seems problematic. I
don't think that we should design SNI encryption with an intent to
facilitate this scenario.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
