On Wed, Mar 14, 2018 at 8:32 AM, Ted Lemon <mel...@fugue.com> wrote: > On Mar 13, 2018, at 11:49 PM, Russ Housley <hous...@vigilsec.com> wrote: > > I was trying to separate these two cases. If the TLS session is terminated > at a load balancer, then the client within the load balancer is (as Ted > says) under control of the operator. The operator can include any > extensions that it wishes. If the TLS session is not terminated at a load > balancer, then the client needs to opt-in for decryption points in the > enterprise data center to get the needed keying material. > > > I had thought that we had agreement in Prague that this proposal did not > require special browsers to be widely available in the wild. If it does, > that seems like a mildly stronger argument against it, since if the > requirement for this behavior successfully infects browsers in the wild, the > damage done will be to connections in addition to the ones that you are > trying to wiretap. > > Is there still confusion on the question of whether click-through warnings > can ever be part of an effective user interface design? >
I think you'd get further (not sure how far), if this were limited to within the datacenter and without a need for browser implementations. If it were specific to browsers for use within an enterprise, that would be one option, but another would be to see if this could be limited to server-to-server only connections with no need for a browser. If you're terminating at a load balancer and then starting a new session with the extension, this could be done for internal and external users. -- Best regards, Kathleen _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
