On Mon, Feb 13, 2012 at 12:32 PM, Phillip Hallam-Baker <[email protected]> wrote: > +1 > > It is also worth pointing out that the MITM certs stopped being > offered commercially as soon as it became public knowledge that they > had been. > > Presumably the next step the companies providing this facility will > take is to offer their own browser with the capability built in. It is > no good jumping up and down saying people should not make such > devices. The choice we have is whether to do the job right or let them > do it without any input. > > > What I find wrong with the MITM proxies is that they offer a > completely transparent mechanism. The user is not notified that they > are being logged. I think that is a broken approach because the whole > point of accountability controls is that people behave differently > when they know they are being watched.
I'm confused: if this is wrong, and if preventing MITMing CAs leads to an MITM model that is right (because the users are informed), then why does it no good to jump up and down saying that people should not make MITM devices? It seems to me that it will have done plenty of good. The object for me is not to prevent MITMing when the user knows. I really don't care about corporate MITM devices because I assume users (employees, contractors) are informed. Like you I care about MITM devices that users *don't* know about. Not all spy-on-your-employees solutions are bad, thus the fact that alternatives will arise does not necessarily bother me. Only those that can be used against users who are not informed or have no way to avoid the MITM (employees can always... not use employer networks for personal use). Think of people in Iran, Syria, ... Nico -- _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
