+1 On Mon, Mar 19, 2018 at 3:32 AM, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > On Thu 2018-03-15 20:10:46 +0200, Yoav Nir wrote: >>> On 15 Mar 2018, at 10:53, Ion Larranaga Azcue <ila...@s21sec.com> wrote: >>> >>> I fail to see how the current draft can be used to provide visibility >>> to an IPS system in order to detect bots that are inside the bank… >>> >>> On the one hand, the bot would never opt-in for visibility if it’s >>> trying to exfiltrate data… >> >> The presumption is that any legitimate application would opt-in, so >> the IPS blocks any TLS connection that does not opt in. > > Thanks for clarifying the bigger picture here, Yoav. > > So if this technology were deployed on a network where not all parties > are mutually trusting, it would offer network users a choice between > surveillance by the network on the one hand (opt-in) and censorship on > the other (opt-out and be blocked). Is that right? > > Designing mechanism for the Internet that allows/facilitates/encourages > the network operator to force this choice on the user seems problematic. > Why do we want this for a protocol like TLS that is intended to be used > across potentially adversarial networks? > > datacenter operators who want access to the cleartext passing through > machines they already control already have mechanisms at their disposal > to do this (whether they can do so at scale safely without exposing > their customers' data to further risks is maybe an open question, > regardless of mechanism). > > Mechanisms that increase "visibility" of the cleartext run counter to > the goals of TLS as an end-to-end two-party secure communications > protocol. > > Regards, > > --dkg > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
-- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 CDT's Annual Dinner, Tech Prom, is March 29, 2018. Don't miss the tech event of the year! Reserve a table today.: https://cdt.org/annual-dinner/ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls