IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for SSLKEYLOG File

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 12 March 2024 21:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD42C14F6AC for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 14:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KtfcXwWF-vox for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 14:40:09 -0700 (PDT)
Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2121.outbound.protection.outlook.com [40.107.105.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBB03C14F6B4 for <tls@ietf.org>; Tue, 12 Mar 2024 14:40:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=htiXCdX4MwwzS0iiHv1HjBgI/i2cmNSzhUtdWTOJzEOnfJU/bA9J/4mmjMRweafIKzLlOmiTnIB7xBse1Ri2VsJ0to5RIHZMKhu2ZMZZ35TiEtVcHm81SgpnKb5a/KvpulQKcB62JfCSZC+Ed50IVOv8wNxoIRaJ6fKurQuuDQAlbEq8yBzDQt8Z245HlkmGKVjHOBjcKNb/EA54ku1VF9sVckpjIgGSrkWQNlmNKrkWUa1dVfChxXxbOWN/QMYFjYRXt6ZwEQSlFxyQZJO7sDk5EnLUL3aQ3JngQ0nHFu959NCXDa8uWZzPf/wLCXeWI1DdaHhh1/POb6dAGDqGfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3PPeQTAuYz2dN0VY1joiQoryCzNqRJxO03QUffBYbUA=; b=Tqb//67dVQnzNM0kYhxG1xCcBeIr1hhYhxNTw8AH1oT4X5b19UmpUMxFzyujrzAdWMQbLQ596oh1AsLf3jqX2SFuaomUxg/yNKvKe6r5+sXRD8tAvVzANjuFYZKZZBuVEGE/Ia54eqpU2QHNCoxckSNLi6wlZm3z7j+yg5R9/ccpn4IUUfzgfLU9uNuNrDLMlp/qlBN0+nPN2Id4whxy0KXqZ/HTPwY/iauvtVVamRriRMAa/mdL9z2RIiZKQ2QxHp8RvFngoFsXIwZ8pR19Dx0FS7guJC+RvaOJgtsD+jNrDL49LsgD2DZswsY0eNmnJePIQe0wrr0ME8R/+4TftQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3PPeQTAuYz2dN0VY1joiQoryCzNqRJxO03QUffBYbUA=; b=Ee/Mc9ajA7CkRMosuX7AYYPGlXpwofIOLWXU3pVUzZ5R4hRpD0KWqLb9dcGmNbDF6kuZi4/YRKtNhgA1j4NboIofEsczbu2LDCIh8hFkqG0WN5BUTqyZI8YbGeSXbxC9cXzK38RjuWS6Knu9x5HzJIYVLBFYMLOLiQHggcVjBEhPd8GDAGuAZTTVNYG4PNrnBbgXB6r2JI/zbZKY3y9p/ltgXPqDaUKyiwWKROeAXINbpeLzrFfe/eNIYtNnXAeIh3tbTXF1OljxVMk+VEJcgiRnltoWG9xcIo4CzUDcj7Yd+0kUqmyD5A0oPXeni1vo0aJ+fbvZ1okTT+P4oxLBEg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS8PR02MB7333.eurprd02.prod.outlook.com (2603:10a6:20b:3f6::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Tue, 12 Mar 2024 21:40:01 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::29da:8147:6e33:c2b7%4]) with mapi id 15.20.7362.035; Tue, 12 Mar 2024 21:40:01 +0000
Message-ID: <cb4d17c5-b2ce-458c-b14f-9882951d2528@cs.tcd.ie>
Date: Tue, 12 Mar 2024 21:39:59 +0000
User-Agent: Mozilla Thunderbird
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
References: <01AF00B4-F9A5-4A25-A6CB-E1D84CF8D11F@sn3rd.com>
Content-Language: en-US
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <01AF00B4-F9A5-4A25-A6CB-E1D84CF8D11F@sn3rd.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------dxcjZshD6i5hRH29aeswJJ00"
X-ClientProxiedBy: DUZPR01CA0234.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b4::25) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS8PR02MB7333:EE_
X-MS-Office365-Filtering-Correlation-Id: 048e8dff-f4d1-4c26-7b2d-08dc42dcf882
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VHDa8pKbIlrMROylNqBq0bjMU3SQFQci8MUCWEFY4T+P2aAbbnJu1gy5raXZPTkIdAMR8xLkZ6Q90JL6oGaYCeqFzEHrPzYeWMvM4MHsO4SGEkN6+A2r2+7wqzKLxYRGB4+kq1Fg4RNyWhyTy8iNnWevCjB35DXKcLwSA/bYL7e2Tlr2ulw3J4hFCUPjWpYWVkOVazblrKUSba20KHCXXuUfIqU+QydOQzagDZ7iJCBbfaWvqfHtbdDCJKeDKa3MoRx44ZL0MfDp8wIvtnpravevNlSVLH4F9ijDFzTGte09xd5qxT7h4RVWPuBbJJ8ioXAXxPn+G38+QHkguMzD7u4bzvzasFAb+fP8LST5eMTpdAmRYx5GB5pJXYmV260+zOBx/7FURLHIc2UASgpgk7l1SIzxc9BMh7odLMhKY2SLErZzPMIH81FFqD4GSQgrcBanl+y3tEgcMzJDqMrCSRKEwKzAqK/TDtkEHBx6i7lt+LGKBH1yrKYu0Q7RGKv/xMN5VEToBTHQc83cdScQvjUGoanpIPdn38Yf9izaGReZVdOVBsdIKcT/95cw+iZ4+KcFB+rYcHt6xLIRtQNJ5wYXIlWPqxooaxcySLpwcwJLlkMVZk38qd+Y2ljwDoMjYB5WO8dK9LAZM+01/i99aTPMXC6DjUamFVC+Liu2N1Y=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: GT3MR8O5ygTzdXiGmx5O8TeRexBHw1NhhkSeoVs7aLFy5IH+evOMS00xD5KkoDzUNVvwE7w1EtN+Ic5MZck18eeXwl6c/JIimmtjuPV7tQJUcsWE9ywtF5Zb2bwPee1nf8QaoGhWV8dTwRvUDklbAWdHMOp+W7h55/zJ38C1I0ZcikV14tKzsGGHT2VuPkmMhPtcfJOhTtwEX0o76YJm+pwfN2g2syGI7n/K58G32FbUGwH+sS6N1Hh34aRkSxLE/i9MaPrL9DoH81i0ZYyUUcujv0xrHGhtnfP/TLYtNofJAI0PRsYfew5UyEhfbyRy1leROTL29YMPshlB2czZhc2tODFKqDDXnRmwitphhnp4LhwVhLE6B+iCIN6xUb+hIplxOrE8czEqSTJlneFjDErtYf2xH1s8mh+rIZCXwV6x50P2EDTzFkujT76+P8gOPnpeIGuBLy7Zd/llc7wCq7VLH8LMToAtn41PFzA4NglNKYgtpdE/d/kD31TJ3xR0hc5DNDpPg0K28z75VAC5Fb9vkh9UcuPDsQLA0sLrY3wl+exZGPvKoaRs50Po3dZIx21NZKTBhw2QWkWqBgGY1ot6h+bqvSgsbCs21Li0zSw+NylHsut7QHjg42mOygrz2Jg5VRW/tb2esDCXprqAvxQY6W1faUWaq0lCwuvPJy/D4vskw4Hj7XmAbRLkd0uy82wviVcvm+p8pIRXiP693CCW1EcQCqgEkRZBprCW0ACslJoODWCI71CJrYEiWC254SDnBQC9c8L83bD7s7ns2XN7mp1KLpL0YPj8T5aVRWZyrMzunZPYpWtLAF+nGEVtR11/4l8WCkmQHQRA6Y9i3b9Rda+Bbn57pM23mg/GAFguuDHDb+HSjuGF4/mfwh0ZQNpeTJgg5FTgyz7HixHKOTW5LRsZ5Px4Lgz6T7yhIeQo+jJl1qQV4go6H2Zx1QqYnz1ospcQXRnqWUsn+eqaIUdpdFzOpN4i6i8v1ZE8KN8x0GYlhIcjEmDUjjOfnMEP+g2NwkD0RX9cMAzUuW3pkLaF/zM50bg7IFktIeGz0Rs9f5hIMCvSmAymEIcIIMTVaO+LNb9pITEUvJ+oYYihW7httbbjKSDpkcPiUfmuk66eliQpfdPUh0v1BhluqqcSed9VUHHNYI+rtrWkTwkBcEXIdL9wSbdETQyxjBjI7wpVOV5uwZn9EN6yBlAjUus+VpUDSrTms0G9T5nU0eywCmOQoggfYrHG0BZfbvCLnFOHuM5oRBrhnIbATnDqxBf5vcIF9jUQeuLg6dNxyDzs/ZhMiIcn7uvLRavrbKdhJ1chiJ/5ZmuPyuL9N5vhqvchYEL9THFxMl2lYxWk1yv0g+1UCzQs9GUF85z+gdcAcDgAotmpUZoZ4oRVSu0vhC6Mf1TkzYCNZcVKLBLQ5EXkWXdY659PftCzNGsFZ5+ghB8jmU7ZblZKXMexQNWBD1jxGVm5W9A/BwcYfgSezHmYiUQqWu164bU4wgAupRq6PI3A+//2iohhXhIGJqxLJ5QXoytUpzfbaXcyOzrSNsPJ4Zc3kW6+zdgBh3WFQl/lfpeu6L+QjI5GCRPElOhooO+4JYJzkLoIRxdUGAN/YfUnU9NfcjmfOK1xmA7JpOPvRYM/0sjHbWY7cC2CGmol28BO
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 048e8dff-f4d1-4c26-7b2d-08dc42dcf882
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Mar 2024 21:40:01.5093 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: QCCpXuI8AW6s4vbeqrTLOL6CQx4olTvT4+nbwWCBWQYlTCdb97ENINK0Re7Wtu93
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB7333
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2FUDelVn_ku1k3vattAkME008bo>
Subject: Re: [TLS] Working Group Last Call for SSLKEYLOG File
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 21:40:13 -0000

Hiya,

On 12/03/2024 14:57, Sean Turner wrote:
> This is the working group last call for the SSLKEYLOGFILE Format for
> TLS Internet-Draft [1]. Please indicate if you think the I-D is ready
> to progress to the IESG and send any comments to the list by 31 March
> 2024.

This is not my fav thing, but I guess I've also benefited from
it during development, so with a bit of nose-holding, I suppose
it's ready. (Apologies to Martin for the grudging acceptance of
his worthy effort;-)

Sorry also for a late suggestion, but how'd we feel about adding
some text like this to 1.1?

    "An implementation, esp. a server, emitting a log file such
     as this in a production environment where the TLS clients are
     unaware that logging is happening, could fall afoul of regulatory
     requirements to protect client data using state-of-the-art
     mechanisms."

Another thought occurred to me that I don't recall being mentioned
before: given we're defining a mime type, that suggests sending
these files by mail or in an HTTP response. Doing that could
be leaky, esp. if only one side of the TLS connection reflected in
the file were aware that logging was being done and if the other
side then sends the file via unencrypted email. I guess one
could also envisage a weird case where a server did this and
also located the log file inside the DocRoot enabling some
clients to see the secrets of some other clients (or their own).
I'm not sure if either scenario, or any similar scenario justifies
an additional warning to be careful where you send files using
that mime type? If it seems worth including, grand. If not, that's
ok.

Cheers,
S.

v2.23.0 | Report a Bug | By Email