Re: [TLS] Working Group Last Call for SSLKEYLOG File

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 03 April 2024 00:30 UTC

Message-ID: <b66264ba-6a7e-4303-a929-7b678177828f@cs.tcd.ie>
Date: Wed, 03 Apr 2024 01:30:29 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Sean Turner <sean@sn3rd.com>, Martin Thomson <mt@lowentropy.net>, TLS List <tls@ietf.org>
References: <01AF00B4-F9A5-4A25-A6CB-E1D84CF8D11F@sn3rd.com> <9D9F69D3-C1B8-47AD-BBF9-89E0FBECC629@sn3rd.com> <385CD19F-EA1E-4B47-B118-C4FA78B1B317@sn3rd.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <385CD19F-EA1E-4B47-B118-C4FA78B1B317@sn3rd.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------yvL0jiU2SPLpNi634u1wttaC"
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|DU0PR02MB9243:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: d+idI6t7akp6zQgbWRN9HaAwT/8i/JacdB2piWTYYFfc0GkPB86W2G8Rw0TlVE6U3cGt4RmY/9mbsapHdwFMP8+NaqRbu3sYmKk/CfK0wDCtd7BwWCMvRi/mrKqfR5/69i9oncvzh53kOgLhdyFo9R/5dEbe5OreMA1kggceYj1KmOXEzrd1+grJZskIxcZUbu40jjLPi0+8SOGph+FrBvdCkjC6quOjXI6L7POx5DZoklZ1SHscczeJXikg2KRFLv1R6eqxjGpqjzxbN6qjjI1bZt7tRSEzFIBWRZpZEBf7pWh/Irm6XSHh8E9NuoiqfmNdJuWtKxIqMPnd31N88NuBuglvswTXTkTqlmJ8OEZd686GSiDpILFLcmpgYcOFZoDcte+gueo6oHIHKswteQcnpzRKYwGOQr5MleEQkvPqzeJa1GqPP4skNZEgXf8nPvCkuZ5DT1Wtv3TdJQuUUUrkBqxerwgM2U+WoJT2IC7xjlRhxhCilPER0RPh/cdn55Fgm1Ez5RNoiq88q378SKXyZQrEs8HI5wHP5CtTKg2GvAlV/ODwitCODuvyBmWjt4RacX2uLxXOjevE29bG+fP6QqzMpAFIAtXVdNI5TP0=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: s5HKqw2l4rVRXxRsHBKajviFn+3cVH+NhW6M8NrIraXXBlOJz4lS1Sdxxl3wZ+A60xtcLTWkyAJ9eL3uatyky/rDKw0Gy07TOkL+r2nvrdruolQVQC2KWYcaEFScji3ecaDjhP7MtVdv0sqzzuM0QCfWjwfdfWo1oTbupAWeIzNTGndNHMG9V8fCITLB44cV8JEY248lZDlaUVDsAEzENBQ4IPsb3MA1fRJAVXLIov/45ptS4WMgzsOyW9oPwaiVFmUDFLrCkkLwZrtWWlM1581eacAgYA/T2XP0ArGLnulATrdyS9kbAMSkTW0+d2MPqCHb4/7nFqMatTDntxkKSsvBc1WZLMn0VrYtZH1pkRxgoXe0bqxZAYuTM9ESIrEfqCFGmSiVsbc+t7lPk4Z4100uyiofjSNulUoupPL+GqvItugu5zJa+rOn5tvMo7TooX0i3wICRHa1ZXtbpAzOsXyuFp2of2K6WbTN00nhAwFSmZeS3fY84BXwfc8DdhuaMZFC6nZhjSyglFtJJGtGdpFx5SCvDaVEsTOTi3ttMJp8OzjOEOHx/vkCnbTqGjahAMRSMjbgTN/EOz22FbU6ZsnCe3O0x1yJnS5YoZ5ggIjX/7A9Hu7xYod1YW6DtJXV4VL/W/Lazdh7qWxRzGJNRQrmaj6QM8nl6/Ojfa7ofUuw+UZP0IAwVExec8xqv2Ff9Oe4UzpeF5rnolPJY5uJO/Uw5UU1kOesl6AP80bBosajZU3XcGUKdYLLljqjajA7XkUnjU9EgQ7KrnejkHDFPafUpcUs/BeGOKJJDs7/8BKCsb/EBGvZwSth+JgDljh2L71huMG1q8Xwcp7ATvCrUkzhWkvZIkEXP/SxQONHU+P0G7ohkgCD7jzl5v13iIZb/PmHy7vE3UgaJFLtO+npwnU0/rtiMVho8AD4YIpukuqZPbUUz8+VLJdlqqCHUokr+ka8iQcQ7Vk8xasYsyjyqXKMC8MOUJwHOIYYOUtw+oN5ieOCSses3ueAFnZ/txFly0dvIc75lew+rJJHwuwE8/mxh1dFEf4jagGkdfMmpKGGy4qdBhnnY/84PaELjCv46TKV2jfdUSrrFwXsUaHdz14gv/7/lDtNun2yagCmOO8eVY1CUIoYu/+FI7PYGyTZXtCyZJf18EXKwjcQF3YsJBEo5Db1G9sRM0XKtQtg51XqYQXDtKCW1/DqHHhENNGGP98lOM3+JTfcxEx8CRdwH8Civ+PgOykjBmnafH6/1BDWic+lMSwnpsHOMmbEGHeUiAcieBPcE+ZolqA51WuCQqbW/l8yF1MG3dJNZUeP9AwvytgPZXKqZFGOfePD0XEelYb3XP7aExbrprkHXx+xt5xZP6RZDBQ/GC8Or8Mmb+McwDN5OU/7peZZ0/gZBWNyovlJXTA4MKKKt5VTcy4w3Q8kkN19skGp3gzRCBgEeCL/CnDt3EbLg4o8e5xasZV+fQ12LjrKliAiRO0uvshDkZ3BrNB3pKZoWPQnvwjjxTbrKpCkFjBMz9d7+g6o5HbgKgLgSBeJyqrkrt5Zh5tMq1rX98hE3VLRiCAUHE9NkRZBIXWy45LnW1P52EMgNQ6O5hGQ24kQEIo4bkTd2xws6nmMuYOAUPXG56V11w7WAF/vJi/Xes8GKZkFsrzn4zpo
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 47d91164-6e7a-41bf-4621-08dc537544cd
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2024 00:30:31.5910 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: N5OYtUNne+/Z3gqDK+VZ5WMKHg+zpZHkc6TOlfWib4diGXTEVH5Q3LU2Sl4O1Ny5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR02MB9243
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9ZLZoUgkb7y9Hxu3yMoKISj23no>
Subject: Re: [TLS] Working Group Last Call for SSLKEYLOG File
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 00:30:41 -0000

Hiya,

This is basically for the record and not an objection to proceeding.

On 02/04/2024 17:34, Sean Turner wrote:
> This WGLC has concluded.  There is consensus to move this document forward.
> 
> The material change was to add a security consideration about forward secrecy guarantees being negated if the key material is leaked:
> https://github.com/tlswg/sslkeylogfile/pull/7/files
> 
> We will not be asking the formal analysis folks to weigh in on this I-D; we all know the file’s content are the keys to the kingdom.
> 
> Martin: If you can spin a new version, I can get the Shepherd write-up drafted.

I like the addition in -01 but would still have preferred if we
weren't so awfully oblique about the consequences of running a
production system with this logging enabled.

Were it up to me (and it's not) I'd suggest an additional addition
along the lines of:

"Systems that enable logging as described here are (while logging
is enabled) unlikely to be consistent with requirements to make use
of state-of-the-art protections, as e.g. is called-for by GDPR
article 32 [1]"

I suppose one could also re-do the above suggested text to refer
to RFC6919, section 3:-) [2]

Again, I'm not objecting to proceeding, just bemoaning what I see
as us being so oddly timid in calling out real issues.

Cheers,
S.

[1] https://gdpr-info.eu/art-32-gdpr/
[2] https://datatracker.ietf.org/doc/html/rfc6919#section-3

> 
> spt
> 
>> On Mar 28, 2024, at 09:24, Sean Turner <sean@sn3rd.com> wrote:
>>
>> Just a reminder that this WGLC ends soon!
>>
>> spt
>>
>>> On Mar 12, 2024, at 10:57, Sean Turner <sean@sn3rd.com> wrote:
>>>
>>> This is the working group last call for the SSLKEYLOGFILE Format for TLS Internet-Draft [1]. Please indicate if you think the I-D is ready to progress to the IESG and send any comments to the list by 31 March 2024.
>>>
>>> The GH repo for the I-D can be found at [2].
>>>
>>> Thanks,
>>>
>>> Joe, Deirdre, and Sean
>>>
>>> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/
>>> [2] https://github.com/tlswg/sslkeylogfile
>>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc
Attachment: OpenPGP_signature.asc

[TLS] Working Group Last Call for SSLKEYLOG File Sean Turner
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Stephen Farrell
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Yaakov Stein
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Salz, Rich
Re: [TLS] Working Group Last Call for SSLKEYLOG F… John Mattsson
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Eric Rescorla
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Stephen Farrell
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Eric Rescorla
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Martin Thomson
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Benjamin Kaduk
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Stephen Farrell
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Eric Rescorla
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Dennis Jackson
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Watson Ladd
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Martin Thomson
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Stephen Farrell
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Sean Turner
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Sean Turner
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Sean Turner
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Stephen Farrell
Re: [TLS] Working Group Last Call for SSLKEYLOG F… Sean Turner

Re: [TLS] Working Group Last Call for SSLKEYLOG File

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc

Attachment: OpenPGP_signature.asc