Hiya,
On 12/03/2024 14:57, Sean Turner wrote:
This is the working group last call for the SSLKEYLOGFILE Format for TLS Internet-Draft [1]. Please indicate if you think the I-D is ready to progress to the IESG and send any comments to the list by 31 March 2024.
This is not my fav thing, but I guess I've also benefited from it during development, so with a bit of nose-holding, I suppose it's ready. (Apologies to Martin for the grudging acceptance of his worthy effort;-) Sorry also for a late suggestion, but how'd we feel about adding some text like this to 1.1? "An implementation, esp. a server, emitting a log file such as this in a production environment where the TLS clients are unaware that logging is happening, could fall afoul of regulatory requirements to protect client data using state-of-the-art mechanisms." Another thought occurred to me that I don't recall being mentioned before: given we're defining a mime type, that suggests sending these files by mail or in an HTTP response. Doing that could be leaky, esp. if only one side of the TLS connection reflected in the file were aware that logging was being done and if the other side then sends the file via unencrypted email. I guess one could also envisage a weird case where a server did this and also located the log file inside the DocRoot enabling some clients to see the secrets of some other clients (or their own). I'm not sure if either scenario, or any similar scenario justifies an additional warning to be careful where you send files using that mime type? If it seems worth including, grand. If not, that's ok. Cheers, S.
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls