On 17 July 2017 at 12:59, Roland Dobbins <rdobb...@arbor.net> wrote: >> At the point that I have sufficient control over a host that I can run >> my software, then I would pin certificates and the best you could do >> is block me. None of the advice about configuration of trust anchors >> (pinning, overrides, etc...) helps at that point. > > Correct. Which is why it's critical in the intranet context, within a > single span of administrative control, to have visibility into the actual > cryptostream.
Roland, I think that you missed my point here. My point was that you don't get that visibility when it is malware at both ends of the connection (assuming a modest amount of competency from the authors). _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
