On Sat, Jul 8, 2017 at 5:36 AM, Yoav Nir <ynir.i...@gmail.com> wrote: > > On 8 Jul 2017, at 6:18, Timothy Jackson <tjack...@mobileiron.com> wrote: > > As an earlier poster asked, what advantage does this approach have over > TLS-inspecting proxies? Every IPS/IDS/next gen firewall with which I am > familiar is able to terminate at TLS connection, inspect/copy/filter, and > then encrypt on a new TLS sessions. > > For high performance customers, the SSL accelerators can be sandwiched > around the filter so all the crypto is done in hardware. > > The ways to prevent TLS inspection are cert pinning and client cert auth. If > this is only within one's data center, then those features can be disabled > if necessary, no? > > What use case am I missing that can't be achieved better by other means than > static keys? > > > They would like to store traffic captures encrypted and be able to decrypt > them a little later if that is necessary. Storing plaintext is something > that auditors (rightfully!) don’t like.
Then renencrypt the data on the storage device. > > They also don’t want to install TLS proxies all over the place. That’s a > large extra expense for them. Nginx exists. What's the blocker? > > Yoav > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
