On Mar 13, 2018, at 11:49 PM, Russ Housley <hous...@vigilsec.com> wrote: > I was trying to separate these two cases. If the TLS session is terminated > at a load balancer, then the client within the load balancer is (as Ted says) > under control of the operator. The operator can include any extensions that > it wishes. If the TLS session is not terminated at a load balancer, then the > client needs to opt-in for decryption points in the enterprise data center to > get the needed keying material.
I had thought that we had agreement in Prague that this proposal did not require special browsers to be widely available in the wild. If it does, that seems like a mildly stronger argument against it, since if the requirement for this behavior successfully infects browsers in the wild, the damage done will be to connections in addition to the ones that you are trying to wiretap. Is there still confusion on the question of whether click-through warnings can ever be part of an effective user interface design?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
