> > With this extension, any middlebox anywhere can drop traffic that is not > tappable. Regardless of who controls the clients and servers, we are now > enabling entities to block traffic unless you acquiesce. For example, an > inflight > wifi could use this. Maybe, ultimately, many/most of the servers that the > passengers connect to will not support it, but some might. >
Can't any middlebox block traffic today if the client doesn't agree to trust its CA? If a middlebox drops traffic because the extension was not included, there will be no indication to the client that it was dropped because they didn't include the extension. If the middlebox does display a page back to the client saying "You have to turn on TLS-Visibility so that we can we can look at traffic for a server that we have control over but don't want to get the data from this directly.", how is that different than "You have to trust our CA in order to communicate with this server so we can route you through our reverse proxy. Please download our CA root from the following location and install it."? The second seems much easier in terms of scenarios 2 and 3 from my previous message. Paul _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
