On 16 February 2012 13:41, Phillip Hallam-Baker <[email protected]> wrote: > Further, if DANE was deployed or any of the proposals made here was > deployed they would stop the MITM enabling root authority from > working. So we are proposing to break the escape hole you are > proposing they use. > > Now breaking that escape hole might be a good thing. But we should > certainly think about the consequences and it should be a deliberate > decision to break it and not provide an alternative.
We just had this same discussion on DANE: http://www.ietf.org/mail-archive/web/dane/current/msg04306.html I raised the same point about local policy enabling an override, and the consensus seemed to be: "That's a good point, and mandating what clients do is not the spec's problem. Let's propose good solutions for browsers offline/out of the WG." A nice side effect was that a locally configured trust anchor overriding a TLSA enables valid corporate MITM, while a non-transparent, shady-trustwave-style-subca would not be overridden by local policy, and the TLSA would cause a hard fail. I'd also like to go on the record that I think a visual indicator to the user that shows a cert is valid only under local policy is a fantastic idea and I support it wholeheartedly. Of course UI is hard, especially with this opaque a topic to an average user, but I still think giving it a shot is a good idea. -tom _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
