IETF Logo Mail Archive

[TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Formatfor TLS

"Aaron Zauner (azet)" <azet@azet.org> Mon, 24 February 2025 05:00 UTC

Return-Path: <azet@azet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418FDC1D4CEF for <tls@ietfa.amsl.com>; Sun, 23 Feb 2025 21:00:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=azet-org.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldRpWXhilmmK for <tls@ietfa.amsl.com>; Sun, 23 Feb 2025 21:00:57 -0800 (PST)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4F07C1D4CF8 for <tls@ietf.org>; Sun, 23 Feb 2025 21:00:57 -0800 (PST)
Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4399ee18a57so22740745e9.1 for <tls@ietf.org>; Sun, 23 Feb 2025 21:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet-org.20230601.gappssmtp.com; s=20230601; t=1740373256; x=1740978056; darn=ietf.org; h=message-id:cc:date:from:to:subject:mime-version :content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=aSFnAQihV/3NeC91iUWiiSq6Exa6V5SmvEFfRVZlUFw=; b=c+0ulid7qIysTCcbIH+PUP0p814fKPGocacMHHyCizCUQ0HBYBtSResv5f8GFKUaso LSYJZi10WkpTwmYDKG8VxZlLC/VdCeFk1iuSx/QTeH4Ww2Olg7FEubMS38vhslNWhoPg scqAlYhE2YaOq0LNejnv6SOVs9+frzqag4wjAMOqdbwusUI5EumbGDicQhJhIztvJGsR D6dkr0phv1eVC59GTsSmvWjU4uWUuEk68se6TOULL7Op4Nv1BEy4IJUwxLumhCPz1f8H N+kkRLA0Cd/hsy9milM85I/MhoTN6F1ZmJ4Rk5wqmMfs/w4EnofkoIHkO83hi/MUEI/2 Apgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740373256; x=1740978056; h=message-id:cc:date:from:to:subject:mime-version :content-transfer-encoding:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=aSFnAQihV/3NeC91iUWiiSq6Exa6V5SmvEFfRVZlUFw=; b=O3CSH91+lznBsBMMd9kVmOsdmUE2aH3z6OjN+imH9CetDbsm6FGS+gWXnSFEGbVe8w jVHYbxrVOZpOLPQZsrMdSq7A/EpZmaDQsA+dZ4tlGxbJr4+Gg9poUjbms44psdpt/asq ikee8+cpeYB+FOFNbVnh2iZ8TicKGigJBJ1/QUgUzJ+NQ1N8Z1EFrPGtLUL1D4n9L1tc gworUfsoNGcUGdqv1/9ZnrGUfhmF//7OSzeL77NuR7ufEAFK/nVq4++SLZ2Dd9Z0vYMh 0EZjpACvaU5guUnxrG7Q4mcEdQJt8/AZX8RWU9u+EgVvWgDgbnauhpj/m2FknfXvxo2U iA+A==
X-Forwarded-Encrypted: i=1; AJvYcCUwHIfEeT8ZclJ4yiavgBoqyrPNfA2wGhSik8w3PfjokiuBPvcpixp8KhOhGU+j5d8XwyM=@ietf.org
X-Gm-Message-State: AOJu0YyyYXnMX4Ch174e5/HpL0wgtFa7wBzr+txp6K5FxPJfhdNS7Jgr PkmegvpNl2UI0ao2ZEqtHKRf76Wkr8qJQyKBIUNwixDBxK6AWxGYc4Tr86UE0g==
X-Gm-Gg: ASbGnctxXnWGzx9JlWI8N6DdQDa9VzXXHwjxi0t25hZ/WYh4SrY6Hfz5v2Cwoc1kHZw 48PtM8CC4e3MX6cDXvzTPWoZNPNkQNUqz4CEhr0+ft6zwTKYg4aVepBxLKG91/Cjkx8Mo0p74nY XjgZwvskvroyxJ/Rt1VCIhb43TJucxyPQcMiEZ8AvXffJHlO3ISdiNj7QoGk4u1kj8suHjZroXx 3hiHw0/D+jxl/w5+LpKFjSEMP1RBTCSRvlzOqzj/bTlIIxNIxi/niXROE37HYAwTn+hdVdGO7hQ 4VSP2oQ/JCR3szjkwp2grSftCQYd+aE229iJQvY=
X-Google-Smtp-Source: AGHT+IHgAEFMVin5zJaE86N0bJ5hVQlVMJwK6/sJ2lnojqogONQ/g/YC5fKELLFl1H6jOjmWniSI/A==
X-Received: by 2002:a05:600c:3b1f:b0:439:9434:4f3b with SMTP id 5b1f17b1804b1-439ae2eb6c6mr85383885e9.8.1740373255310; Sun, 23 Feb 2025 21:00:55 -0800 (PST)
Received: from smtpclient.apple ([2001:470:7375:0:69d1:d3f2:7df:e81c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-439b0367507sm95646915e9.28.2025.02.23.21.00.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 23 Feb 2025 21:00:54 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
To: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
X-Universally-Unique-Identifier: 2E211166-C806-49E3-A123-B682CD791490
From: "Aaron Zauner (azet)" <azet@azet.org>
Date: Mon, 24 Feb 2025 06:00:23 +0100
X-Apple-Message-Smime-Encrypt: NO
Message-Id: <EB37B761-8575-43E4-AAE7-0FA301BC066D@azet.org>
X-Apple-Notify-Thread: NO
X-Mailer: iPhone Mail (21G93)
Message-ID-Hash: KPIFMPZHNHZP5XNMH2RJHZMPTG7HBZ42
X-Message-ID-Hash: KPIFMPZHNHZP5XNMH2RJHZMPTG7HBZ42
X-MailFrom: azet@azet.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Bellebaum, Thomas" <thomas.bellebaum@aisec.fraunhofer.de>, robainloynet@gmail.com, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Formatfor TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B5IR3V0pbWCdNtZIqxY8dEyRQm4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi,

I haven't been active on IETF lists in a while but would also like to state my clear intention not to have any feature as such standardized. As has been discussed and pointed out in this thread repeatedly: this *is* already and can always be a (preferably) default disabled implementation specific feature. Any standardization and proliferation of features like these will cause maybe otherwise unintended harm towards unsuspecting end users. It took many in the community years past 2013 to disable, compile-out/redact or otherwise remove many of the previously enormous amount of options some Linux and Unix flavors distributed open source crypto libs or network services for that enabled users to make stupid, unreflected decisions when configuring otherwise standard network services like http or smtp/imap etc.: from RNG inputs to DH params and exponent files. As far as I know on eg. AIX even today OpenSSH still builds in the most peculiar ways. But otherwise on most modern production distributions and end user / development focused operating systems and programming languages this has been ironed out over long discussions, amendments to man pages and a complete Linux kernel RNG redesign. Please let's not do this all over again. it's just another easy entry point for supply chain attacks or might serve as a rationale for vendors like pegasus that their intentions are really ours as long as they are under LI / gov contract no matter what's the end result.

All the best,
Aaron Zauner

v2.46.0 | Report a Bug | By Email | System Status