Hiya,
On 12/03/2024 14:57, Sean Turner wrote:
This is the working group last call for the SSLKEYLOGFILE Format for TLS Internet-Draft [1]. Please indicate if you think the I-D is ready to progress to the IESG and send any comments to the list by 31 March 2024.
This is not my fav thing, but I guess I've also benefited from
it during development, so with a bit of nose-holding, I suppose
it's ready. (Apologies to Martin for the grudging acceptance of
his worthy effort;-)
Sorry also for a late suggestion, but how'd we feel about adding
some text like this to 1.1?
"An implementation, esp. a server, emitting a log file such
as this in a production environment where the TLS clients are
unaware that logging is happening, could fall afoul of regulatory
requirements to protect client data using state-of-the-art
mechanisms."
Another thought occurred to me that I don't recall being mentioned
before: given we're defining a mime type, that suggests sending
these files by mail or in an HTTP response. Doing that could
be leaky, esp. if only one side of the TLS connection reflected in
the file were aware that logging was being done and if the other
side then sends the file via unencrypted email. I guess one
could also envisage a weird case where a server did this and
also located the log file inside the DocRoot enabling some
clients to see the secrets of some other clients (or their own).
I'm not sure if either scenario, or any similar scenario justifies
an additional warning to be careful where you send files using
that mime type? If it seems worth including, grand. If not, that's
ok.
Cheers,
S.
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
