On Feb 13, 2012, at 8:36 AM, Martin Rex wrote: > The fact that there are products (client-side HTTPS proxies that > perform MITM and inspect content) actively sold and used, > which are vitally dependent on being able to exploit weaknesses > of the existing TLS X.509 PKI security&trust model, is a sure proof > that something is wrong with the existing security model.
Well, it is proof that the theoretical model in which authorized MITM was disallowed was seen as too limiting. > I do not think there is value in maintaining backward compatible > weaknesses, and personally, I do not mind the slightest about breaking > those protocol subverting middle boxes, be it by the use of TLS channel > bindings, or the checking of DANE TLSA records. Pragmatically speaking, if you come up with an architecture that disallows people from doing what they want/need to do, they'll either figure out ways around it or not use that architecture. Regards, -drc _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
