Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Martin Thomson
On Fri, Jan 5, 2018 at 3:39 AM, Mateusz Jończyk wrote: > W dniu 04.01.2018 o 16:52, Stephen Farrell pisze: >> I'm fairly sure I'm against attempting to handle captive portal issues at >> the TLS layer. Any changes to TLS needed for captive portals ought really >> garner

Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

2018-01-04 Thread Colm MacCárthaigh
On Thu, Jan 4, 2018 at 4:17 AM, Hubert Kario wrote: > > No, I strongly disagree here. Firstly, frustrating attackers is a good > > definition of what the goal of security is. Some times increasing costs > for > > attackers does come at the cost of making things harder to

Re: [TLS] I-D Action: draft-ietf-tls-iana-registry-updates-03.txt

2018-01-04 Thread Stephen Farrell
On 04/01/18 16:51, Sean Turner wrote: > > As we discussed in Singapore, Stephen Farrell has graciously offered to > Shepherd this draft; write-up can be found at: > https://datatracker.ietf.org/doc/draft-ietf-tls-iana-registry-updates/shepherdwriteup/ Gracious? Me? Well, I guess given the

Re: [TLS] I-D Action: draft-ietf-tls-iana-registry-updates-03.txt

2018-01-04 Thread Sean Turner
This draft addresses the remaining outstanding issues: - text to transition for recommended Yes->No - orphaning user_mapping and cert_type This draft also addresses comments received by Ron Tse. gh repo likewise updated: https://github.com/tlswg/draft-ietf-tls-iana-registry-updates As we

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Mateusz Jończyk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 04.01.2018 o 16:52, Stephen Farrell pisze: > I'm fairly sure I'm against attempting to handle captive portal issues at > the TLS layer. Any changes to TLS needed for captive portals ought really > garner consensus within the capport wg and then

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Eric Rescorla
On Thu, Jan 4, 2018 at 7:22 AM, Mateusz Jończyk wrote: > W dniu 04.01.2018 o 16:00, Salz, Rich pisze: > > > >>Yes, at least in corporate environments, parental control solutions, > etc. > > This will give a more understandable message to the user. > > > > > > But as

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Stephen Farrell
On 04/01/18 14:22, Eric Rescorla wrote: > I am not in favor of this change at this time. Same here. > > I suspect I'm not in favor of the mechanism, but i'm definitely not in > favor of > adding a placeholder alert for some mechanism which isn't specified. I'm fairly sure I'm against

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Mateusz Jończyk
W dniu 04.01.2018 o 16:00, Salz, Rich pisze: > >>Yes, at least in corporate environments, parental control solutions, etc. > This will give a more understandable message to the user. > > > But as others have pointed out, the alert is not signed by the target origin. > So anyone along the

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Salz, Rich
>Yes, at least in corporate environments, parental control solutions, etc. This will give a more understandable message to the user. But as others have pointed out, the alert is not signed by the target origin. So anyone along the path can inject this alert. So browsers cannot

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Eric Rescorla
On Thu, Jan 4, 2018 at 6:43 AM, Mateusz Jończyk wrote: > W dniu 04.01.2018 o 15:22, Eric Rescorla pisze: > > > > > > On Thu, Jan 4, 2018 at 2:46 AM, Mateusz Jończyk > > wrote: > > > > W dniu 03.01.2018 o 18:05, Benjamin Kaduk

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Eric Rescorla
On Thu, Jan 4, 2018 at 2:46 AM, Mateusz Jończyk wrote: > W dniu 03.01.2018 o 18:05, Benjamin Kaduk pisze: > > On 01/03/2018 10:17 AM, Mateusz Jończyk wrote: > >> Judging from TLS1.3's problems with middleboxes, content filtering > isn't so > >> rare, especially in the

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Mateusz Jończyk
W dniu 04.01.2018 o 14:32, Salz, Rich pisze: > ➢ https://github.com/tlswg/tls13-spec/pull/1134 > … > This will make censorship more transparent. > > Only if the censor agrees to use that alert to indicate what they are doing. > Do you really think that will happen? > Yes, at least

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Salz, Rich
➢ https://github.com/tlswg/tls13-spec/pull/1134 … This will make censorship more transparent. Only if the censor agrees to use that alert to indicate what they are doing. Do you really think that will happen? ___ TLS mailing list

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Mateusz Jończyk
W dniu 04.01.2018 o 11:46, Mateusz Jończyk pisze: > W dniu 03.01.2018 o 18:05, Benjamin Kaduk pisze: >> On 01/03/2018 10:17 AM, Mateusz Jończyk wrote: >>> Judging from TLS1.3's problems with middleboxes, content filtering isn't so >>> rare, especially in the corporate world. >>> >>> The provider

Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

2018-01-04 Thread Hubert Kario
- Original Message - > From: "Colm MacCárthaigh" > To: "Hubert Kario" > Cc: tls@ietf.org > Sent: Wednesday, January 3, 2018 6:23:03 PM > Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in > general, and what we can do in TLS

Re: [TLS] access_administratively_disabled v2

2018-01-04 Thread Mateusz Jończyk
W dniu 03.01.2018 o 18:05, Benjamin Kaduk pisze: > On 01/03/2018 10:17 AM, Mateusz Jończyk wrote: >> Judging from TLS1.3's problems with middleboxes, content filtering isn't so >> rare, especially in the corporate world. >> >> The provider of filtering services (for example OpenDNS) / middlebox >>