Hi, On Fri, 30 Sept 2022, 09:38 Randy Armstrong (OPC), < [email protected]> wrote:
> > - I think the key point here is that sometimes observability is a > feature and not a bug. This is particularly important in > industrial/critical infrastructure. That observability can be achieved in > many ways. One question is whether the observability itself should itself > be authorized. > > Putting backdoors into protocols is not equivalent to letting applications > decide to skip encryption. > > A backdoor is like giving law enforcement codes to break into a cellphone > and hoping that they will never abuse the power or the codes will never > fall into the hands of criminals. Letting applications decide is equivalent > to an owner of a cellphone choosing not to lock their screen because they > decide there is nothing that needs protecting. > > IOW, the fact that some users might be willing to live with the risk of a > compromised system by allowing for backdoors is not a reason to refuse to > allow other users to make a decision send data in clear text when and only > when they decide it is safe. > The example given was SSLKEYLOGFILE. This isn't a protocol backdoor. Instead it's an endpoint opt in action that extracts the negotiated session key and puts it somewhere that can be used by others. It would be feasible to build a system where clients share such session keys with trusted parties in your network. Those parties could then use them for inspection. This seems about as explicit a choice as an endpoint deciding it is in a network that is safe enough to configure the use a transport connection that discards confidentiality and/or integrity protections. It comes at a cost of having to build an architecture that can support such actions but it sounds like there is already an architecture for operational monitoring in that network. >
