> On 8 Jul 2017, at 6:18, Timothy Jackson <tjack...@mobileiron.com> wrote: > > As an earlier poster asked, what advantage does this approach have over > TLS-inspecting proxies? Every IPS/IDS/next gen firewall with which I am > familiar is able to terminate at TLS connection, inspect/copy/filter, and > then encrypt on a new TLS sessions. > > For high performance customers, the SSL accelerators can be sandwiched around > the filter so all the crypto is done in hardware. > > The ways to prevent TLS inspection are cert pinning and client cert auth. If > this is only within one's data center, then those features can be disabled if > necessary, no? > > What use case am I missing that can't be achieved better by other means than > static keys?
They would like to store traffic captures encrypted and be able to decrypt them a little later if that is necessary. Storing plaintext is something that auditors (rightfully!) don’t like. They also don’t want to install TLS proxies all over the place. That’s a large extra expense for them. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
