Nico Williams wrote: > > Whether we pursue auditable CAs / notaries, Convergence, HSTS, user > authentication that can do channel binding -- all these options are > about keeping the CAs honest by making it too likely that MITMing CAs > (whether compromised or by business plan) will get detected. Someone > made a comment about elegance. I'm not sure that anything other than > making CAs auditable is elegant, but I don't think elegance is really > what we're after (though elegance is always nice). I think we're > after a PKI where MITMing is not likely to pay off except in > relatively rare circumstances (e.g., when a new device is > bootstrapping itself), so rare that it isn't worth trying to MITM even > in those very few cases.
The fact that there are products (client-side HTTPS proxies that perform MITM and inspect content) actively sold and used, which are vitally dependent on being able to exploit weaknesses of the existing TLS X.509 PKI security&trust model, is a sure proof that something is wrong with the existing security model. I do not think there is value in maintaining backward compatible weaknesses, and personally, I do not mind the slightest about breaking those protocol subverting middle boxes, be it by the use of TLS channel bindings, or the checking of DANE TLSA records. -Martin _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
