Hi,
On 21.11.23 18:55, Maxime Devos wrote:
Op 21-11-2023 om 08:34 schreef Schanzenbach, Martin:
We are happy to announce that our *The GNU Name System* (GNS)
specification is now published as RFC 9498 [0].
in order to transparently enable this functionality for migration
purposes, a local GNS-aware SOCKS5 proxy [RFC1928] can be configured
to resolve domain names
Are you sure this is transparent? Consider the case where a website has
a log-in system, and instead of being based on passwords, it is based on
TLS client certificates (for example, https://ci.guix.gnu.org/ has such
a system to decide who is allowed to adjust ‘specifications’ and
‘restart builds’).
Given that the SOCKS5 proxy is technically a MITM attack, and the client
certificates instead of only server certificates, I would expect (and
hope) that the SOCKS5 proxy can't convince the server that it is the
client.
obviously, TLS client authentication does not work in this case and this
migration path, unless the proxy itself does it.
I do not see a problem with the proxy doing it. It just somehow needs to
have access to your client certs.
Out implementation does not support this kind of flow atm.
BR
It's a somewhat niche use case, so mostly transparent, sure.
But transparent, without qualifiers, I don't think so.
Best regards,
Maxime Devos
