On Mon, Feb 13, 2012 at 11:21 AM, Martin Rex <[email protected]> wrote:
Phillip Hallam-Baker wrote:What I find wrong with the MITM proxies is that they offer a completely transparent mechanism. The user is not notified that they are being logged. I think that is a broken approach because the whole point of accountability controls is that people behave differently when they know they are being watched.MITM proxies are bad in several ways. Not only that they're trying to hide (by faking server certs), they also breaking client-cert authentication, interfere with TLS channel bindings and will break other approaches that intend to fix the shortcomings of the Browser's TLS X.509 PKI trust model.
Continuing to do the same thing and expecting different results is one of the definitions of insanity, you know? Our prohibitions have led to our unenforceable prohibitions being broken. We MUST stop prohibiting things, and recognize that there are valid use-cases which our narrow-minded interpretations of "Absolute Correctness Or It's Crap" have failed to take into account. There are more things in Heaven and Earth than are dreamt of in your philosophy, Horatio. They exist regardless of whether we agree with them. The least we can do is permit them. (And, there's another aspect: if we intentionally break all of the software that currently exists, we will have committed the largest technical attack on the international financial and communications infrastructure in history, and we would rightly be branded terrorists.) -Kyle H
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
