To echo the ickiness part… Putting on my end user hat, if I have to take it with an enterprise device on the enterprise network, I would rather it be done securely, respecting my privacy... If I’m on my home network, I want an easy way to detect and reject it, no matter it is from a vendor, provider or state. At this time, there seems no easy way on either side.
On Jul 29, 2020, at 6:26 PM, Salz, Rich <rsalz=40akamai....@dmarc.ietf.org<mailto:rsalz=40akamai....@dmarc.ietf.org>> wrote: >I would say rather that those analyses consider them as protocol endpoints and >address the two individual connections terminated by the proxy and have >nothing to say about the composition of those two connections. I think that some of those opposed are conflating the general “end to end” argument with what the TLS protocol RFC says, as ekr is saying. Conformance isn’t the issue, really, it’s ickiness. It’s one thing if an enterprise install intermediaries to monitor the outbound traffic on its machines, it’s another if a national-scale attacker does surreptitiously, and it’s various other things along those spectrums. We’d all like a clear bright line to say YES here, NO there, and WELL MAYBE IF YOU MUST over there, but that’s not possible.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls