On Wed, Mar 13, 2024, at 08:39, Stephen Farrell wrote:
> (Apologies to Martin for the grudging acceptance of
> his worthy effort;-)
No apology needed. Nose-holding is expected :)
> Sorry also for a late suggestion, but how'd we feel about adding
> some text like this to 1.1?
>
> "An implementation, esp. a server, emitting a log file such
> as this in a production environment where the TLS clients are
> unaware that logging is happening, could fall afoul of regulatory
> requirements to protect client data using state-of-the-art
> mechanisms."
I agree with Ekr. That risk is not appreciably changed by the existence of a
definition for a file format. And we do better keeping to the technical
implications of choices.
> Another thought occurred to me that I don't recall being mentioned
> before: given we're defining a mime type, that suggests sending
> these files by mail or in an HTTP response. Doing that could
> be leaky, [...]
I see equal opportunity for good things (detecting keylogfiles, deleting them,
generating a warning), than bad as a result of writing this down. See also RFC
8959 (which the IETF did not publish, which I concede undermines my position
somewhat...)
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
