Hello, Based on Your feedback (for which I am grateful) I have designed a new version of the access_administratively_disabled mechanism.
1. One new AlertDescription value should be specified: access_administratively_disabled. 2. The information why the webpage is blocked is specified at the URL https://access_administratively_disabled.net?d=${domain_name} as a simple string. 3. Certificates for access_administratively_disabled.net are assigned in a non-usual way: any big entity that blocks websites (e.g. OpenDNS) may get a certificate for access_administratively_disabled.net provided that their identity is validated (i.e. in an Extended-Validation way). The list of entities that received certificates for this domain would be made public and managed by IANA. This way the risk of phishing would be eliminated. 4. Any entity that is blocking some websites would redirect traffic for access_administratively_disabled.net to their own servers. 5. After getting an access_administratively_disabled warning a browser would open https://access_admininistratively_disabled.net?d=${domain_name} , validate its certificate and display to the user information: what get blocked, by whom and why. 6. If https://access_administratively_disabled.net would not have a valid certificate, the browser would only display that the website is being blocked, without giving any reason. 7. IANA or someone else would provide a default https://access_administratively_disabled.net service for the public internet. This mechanism would provide blocking transparency without affecting security. Greetings, Mateusz Jończyk _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
