On Wed, Jul 29, 2020 at 4:27 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hiya, > > On 29/07/2020 23:46, Eric Wang (ejwang) wrote: > > It was the motivation of this draft to help reduce/prevent > > non-compliance, as mentioned earlier. > TLS MITM products, by design, do not comply with the TLS > protocol, which is a 2 party protocol. > Without taking a position on this document, I do not believe this statement to be correct. 1. TLS doesn't document at all how the server is validated, so from a technical perspective a MITM proxy is simply a TLS server with a certificate issued by a locally installed CA attached to a TLS client that connects to the server (what is known in SIP as a B2BUA). 2. TLS 1.3 specifically documents invariants for TLS terminating middleboxes, including MITM proxies ( https://tools.ietf.org/rfcmarkup?doc=8446#section-9.3). 3. Ignoring MITM proxies, TLS is widely deployed in operating configurations where the client connects to a TLS reverse proxy (i.e., a CDN) which then connects to the server; this is also not a two-party situation. What text in TLS do you believe terminating proxies (in either direction) do not conform to? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
