On Tue, Mar 12, 2024 at 2:40 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hiya, > > On 12/03/2024 14:57, Sean Turner wrote: > > This is the working group last call for the SSLKEYLOGFILE Format for > > TLS Internet-Draft [1]. Please indicate if you think the I-D is ready > > to progress to the IESG and send any comments to the list by 31 March > > 2024. > > This is not my fav thing, but I guess I've also benefited from > it during development, so with a bit of nose-holding, I suppose > it's ready. (Apologies to Martin for the grudging acceptance of > his worthy effort;-) > > Sorry also for a late suggestion, but how'd we feel about adding > some text like this to 1.1? > > "An implementation, esp. a server, emitting a log file such > as this in a production environment where the TLS clients are > unaware that logging is happening, could fall afoul of regulatory > requirements to protect client data using state-of-the-art > mechanisms." > I don't think we should make statements about regulatory requirements in this kind of specification. That's not our lane. -Ekr > Another thought occurred to me that I don't recall being mentioned > before: given we're defining a mime type, that suggests sending > these files by mail or in an HTTP response. Doing that could > be leaky, esp. if only one side of the TLS connection reflected in > the file were aware that logging was being done and if the other > side then sends the file via unencrypted email. I guess one > could also envisage a weird case where a server did this and > also located the log file inside the DocRoot enabling some > clients to see the secrets of some other clients (or their own). > I'm not sure if either scenario, or any similar scenario justifies > an additional warning to be careful where you send files using > that mime type? If it seems worth including, grand. If not, that's > ok. > > Cheers, > S. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
