IETF Logo Mail Archive

[TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Format for TLS

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 08 February 2025 23:12 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B16C1516E1 for <tls@ietfa.amsl.com>; Sat, 8 Feb 2025 15:12:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyo-itfeR6W8 for <tls@ietfa.amsl.com>; Sat, 8 Feb 2025 15:12:32 -0800 (PST)
Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazon11023096.outbound.protection.outlook.com [40.107.159.96]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B57C18DBAC for <tls@ietf.org>; Sat, 8 Feb 2025 15:12:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RrhGl2aNOhb9bzoRIvYj4lPCNn9y9G5tloEgkXOxeK0HThWKQbOsYOa75klV2Q/s0PiS54BwKXTacL0iEmTMt0SU6gjqzxO8kbH3r/fR2wiXa4tmnuju7DnE7boQVfS03MO46HqwX2FrafuH1dMvMKFJzKuz1omQecXxhvXyEFmSHudMXGcqefak5EBG3xdl6CPFrA4MCa28t4MzoSwpNTotR9/bjJgVK3K+9nwSLn27gHCb50EZQDuH3Gwhf31pMn6izC3YspB1IKHh+ZPkSwvU3QTgEW7JgfmA7uUOxqL/26sRocKMjnCMF4Awps+uddzbApeDKfiY6ZtTLtiYSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JnXj7bcbWH6hrpisB1Kf1KokQSxmum0kt83oTltd/Yw=; b=MbErvxiDxgLS3rNMWsEcmRrYN8jXYrHX+ByjcGoARYKWd4xm4Uv5e+khwdLCvAaFnJNOqsaNkO0LjgfabIkqm0+KDGaFrmbaKhuwNY7SvpKoqGqkqFjqHULo5DCv54/63DMTmxvT8k0HL5cm7k72P9wonuIY/6y06kh1vr442xMK1+M6VpcXheO8mrdi/B9n8VoCl7C09dsnsvYF9uNWQdqX+uzLxXk+6kaaWGUA7zJjUClBl8yV9VwimN/jcPpF+jVc3GBDqCH21/JPBlRw2Mx8J3yUcauO0wUdl9CSjRjgH/wo6VVFHngM4NgY3fLy3lxmH88Yw5cf1ry0x1yEGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JnXj7bcbWH6hrpisB1Kf1KokQSxmum0kt83oTltd/Yw=; b=MCXgXGfAAIk07B5zFa9HojhaAE5sXBdYy194TFh4XTmJ1W5pPAvX9HUdq6uVM1O5bJVVaKSZWSwDUxnCLx3hnU8hdsdnufm3iwo07jCN2JdVmXDe/JRgrTNBvmoKG/jQ2zYTGIFoAV54E0u5MSuYBpKOctMXB6vfE/e5PFP9q846LpuRR0BGo6Ztba2VdBo6h9OZfW4jeFP6pysVmG3DYaFRaFzZryQmx8e0Bw6RixbsaDynZL8yYGm2bvhO+DTzAQmW4aCV0toCbskJOzuKaoA7CBP5m37R5DdXvUVhcAs+lLNyDpQe4afx4L2d/hV+UZ6z03Z/kruQ6iY4QOj7sQ==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by DB4PR02MB8437.eurprd02.prod.outlook.com (2603:10a6:10:37b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8422.13; Sat, 8 Feb 2025 23:12:28 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%3]) with mapi id 15.20.8422.012; Sat, 8 Feb 2025 23:12:27 +0000
Message-ID: <48954914-c811-43dc-b421-cac3e081c748@cs.tcd.ie>
Date: Sat, 08 Feb 2025 23:12:26 +0000
User-Agent: Mozilla Thunderbird
To: Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
References: <834F10E3-187A-46BA-992F-3FB9C9658965@sn3rd.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <834F10E3-187A-46BA-992F-3FB9C9658965@sn3rd.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------WNTsxYj0fWDJ2EH7Z3C2CUuy"
X-ClientProxiedBy: DUZPR01CA0270.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b9::22) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|DB4PR02MB8437:EE_
X-MS-Office365-Filtering-Correlation-Id: 7f07bc5c-fd7a-4f7b-7004-08dd48960dfe
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|1800799024|376014|366016;
X-Microsoft-Antispam-Message-Info: pEXNbF59lGvR45aIGagb2RuOLbgII+NPdSsfccdZx3suEJxN/C79IsapcXYxwqCacd7IFNyqVuzTL6iFC2BJUuEjSjRNuRU0zso4489NKfuNvUIlhuClK28MiLmCG343f1TVOb3BsInZlHjklhTO8XPsxWHxsBLDgXBCSj8nSVgP/G1opwPIcN6RVJgLAxl4wgr9YGXReDGRuNXtJgg1iM/CreJISqwId/YJEQmBeuUw/Z4jXfFWiYVB3dNLhoXQ2vsaXxXKr9PHPGEsY8oeOE5Lzqrohv8w0PHBzOrMqBYY1t6vUcUsGWMVGddW+alwiUliEyP1rAcvzvRd3b7njfdVRHF8+XznZ9vONdjhz8/8ovWQfDmlQCbk8JX6HsftHGkNIWtC55Tm4qHIxiONu79RelmN6Fhemh4XsYsj4/o+CzLMIF1aC8Egr4m3TkaOQGvBZVAD3Bpo3V4cl1Vk11dek4G6YGoscdBiZPkML7PBtiATMInyT/mTUNZB72okyvMzkxAkl9eKCKiBy0qXzr1PMeA2zP9luZi4RKca1MYdSPxtaOZ+8azHIdB0TiaScyZ3oIQGC1czo5nByeb8X4Mp8l1Gd3Bd5oHULumTx2k0FL8jzMoSQxfrdBIaS9Mi8wV5w31WJ7y/ODzODIl6K5Y/o0cE+HfZZS7otHnYkf21PM9OlKwwm4fUj9TGMhrKoexfMTRtY0J7oiHIVr1ZZ/mFzrHtF32FzoDk77yZOoxmk4gqx7TonF1qxPp9vPLyHmCLoXYI4ERz23SG26VNb5eei1Wg+YpnZYARznJgvU8ga8K1hwEEXuyPfHuARs9lkMIajfI0t28ZpHMLcBGfPQ/fdX8DCnh0/ykS1boG9n4nwAHou7F2WkeCgVcWetm0G1s7DlKmy62t6J1dybzEMscNWyuyATyCNA5UlG44Ff7+4sCF4Fa122y5SeRkehva2F9ZiA8zRCcQJqeg9o95EqWkZVT5ULw0imxS8YSxVQ4wob9uukycxaOWdGsjZjfha53H3RTnzVdEKc3lcG6UPUc+j4OT8iSN/pFd2trIhKhMolp1pHWGQNd8kNpkO0DSx/q8iUOrnxZFNUajZ50uAoV92iu7IoHwOOnHQ03/6dAz7ccAs2tzeHuuTPAPGxj8LtLKL9GhxHusXqDNrzZdQK98UupVPgQzaFRz2s2ataEPL9D9hZ6Imuu3Mz4L6doSHbDhh/LdEwIx5EZha+1FWRKmTPZtN84RzPRKfm7pe2B07QcFiaS+RnxnzAD5HBjUWo2naKEQV/BeoUwCtAS7KDWd3pIV56Noq6DL2VAV41kRTOGtBCArWL6ZcvWyMpDHJReoRCCUG5ZODD9nbP2TcEMntZBjZvJvS3wkBZfXyYcqsfuuHatM9ug13qGM3Zok
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(376014)(366016);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: +yTwCoAn1peOGbSa80Es5ppxqr4GIxQF4egelMDyrp2ZQuHqBr+1WnQ4ZRL0dQmY1VRTIpnd+QqtX3kJGn95D8s7rLqnZQrJs7ngLaQUQrYM0FfMqV1zHsAonNMP0hX4NHMSR8hgOnnbSZx4GiV2rmpHergxULpYGCdeqf55z1hXfVIaQKBhKWAfVZSyKHpj4o2ee2TvNKsmG8h/6v0SCmHxBxmUeF0qEQRihBC9ZoyJn07gslBDk3RYMAagNvbqGdSEfPQRTzyxUFMHBnDbIDcH4F2TYm/2PLx4Mwo8PAwSJxxIrl9zl/qDrPELXNgRA4LPiNOIJZVy9M1M5dvPSL+OzJxPbm75zTBgS83g5r1v8tL3HQC3ypR+SuyfjuA89EY8DBT7YQbHqK21uiU5vgM4pnZq4kDxCXDkPuXrTt3d4IXVXpEWcg57Yg/o2udq+WbWOQ/vjxRB6ianqJbuYzBkfpZzKpspXPMZg9NByf+96guDFok8oh93//V8w7wWovbaUcVtdfwu4TVXJ+NoQPq23+JlEVkozIxa0I0mQY/vBdCzg4KvmWggopvB+En+QWXQwmjlArd92GYMthn/qALVfWphUiAIh+/izinuJxCI4iFO+PtK8YfRQrT7okCOTo4L2N/90cT8lswYxaxl4eKbdYYBx6O4Sk58gz/Ynbyfzad9VzTwcNDsQBR21+thBqpGxmH/1Q2jwoILuXD3W7sKJff6iNBNJIcpO86zSAGKRwyEVSNSi5kP+/6XM2x5iLh5rr7Ie9l4/FVZGkj5MbJeBZgG0tFdfEVQXlv3thE1G5iwkBGE3ea5Oe4pvq9OW7Q9yzwXqEtU+DpqiYFzrlsCfgelBa7LQaoK8nHmUgQZDc4sgvWIgVhiBplsIAuU6hmMIspzA8Q/mssU1ZE1kkynbCq7D9gIwhTh1wrjLj0THLe5zOISUQhcUOvrt6Eip+DnYecTEzjih8769PU3099+jwFQ2K/PJrrOY9yednNzcRrKb2toXqLSvlSM/2knOMCdIxlnY9MUKycyKu+W2EgJAyXrkjXFs6EZ7Tgq4crfkqbDyjSB1llkIAb/NuuuKqfw4aYVk1XVbFqc2GGDcnE4b0T/kTtzJ4eu1tKKjH6lX5VMkL9KFJyonM0i1SNP8X5y6eK/O3wS+qNbh8X5sHzuJVpvDLuu54naF6un6xnnejiDF3XTTziuSMxvnKD3TO47MORehYi88+6kLFGYspSTNwu/+6zpnJgta4RmOzzgn+nHVIL9Nr44Bq5iJh+Itvqy/oBEK8EL5HvDbyf24FZs3XgLCWUK2r3KPvDY5Kmx2444wEaCvIj6QU/xZ6Wy/hXjZX81bD0BVg7ZuVI9pSHw6VRTBj/ZstOvZzN43PqduVpuQZHXBV0UJq4wAuWesiiYT+a/Ig0vyL7K2u8PrvwKZP6mPpjsQ8Dp6uoDPnS2AqzKKcfG6mEDZS8hsN3F9CGdbkG5d6VtSkYkGjfK5ecybvZIGmAcmkGxKRUHMB4qEJv4/afMPhMNxk9n5YuvGg+2kbCMViT/oNGQNSVW/4PLUQOrwY0TFJSn7dB2ZpkTgOqe3perpGr3jY9RbVCH3clQuP33hXBQwLmODO4xsX2e9JTHAYPdKS7WTYpZVgyjR3qJn5P6lw6SoWbp4JPZ
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 7f07bc5c-fd7a-4f7b-7004-08dd48960dfe
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2025 23:12:27.7919 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: IEJPWI/E8SQ4HBAmnAbqN3Uhm3Xhw15EM8pHobc1vbf2Sba24Gxh6TU6KXpYR2F2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR02MB8437
Message-ID-Hash: KWKSJL4E7DBDQGJDIE5CV2VLJQU6MW22
X-Message-ID-Hash: KWKSJL4E7DBDQGJDIE5CV2VLJQU6MW22
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Format for TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DZWFIIxvRl09N7uvICMCeAlGdOA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

I think we should abandon this effort and not publish.

When initially proposed this was supposed to be documenting a
deployed reality. I could just about hold my nose with that,
but adding in ECH (for which key exfiltration is not currently
deployed, nor seemingly needed) and the IANA considerations make
this much more unacceptable.

While I expected to be in the rough for the initial proposal I
do hope others find this as unacceptable as I do and we don't
publish.

Including ECH here is IMO not necessary - there is no history
of needing that for debugging purposes so adding it based on
speculation is IMO wrong and a fatal error.

This is now extensible (via IANA specification required) which
is a problem as that means anyone can likely define new ways
to exfiltrate secrets from TLS implementations without any WG
overview. That IMO is another fatal error.

Less importantly, but still substantively, the draft does not,
but should, recommend that this feature only be available via
conditional compilation (where available) and not be part of
any standard library or other release. If publishing, we should
be aiming for the strongest possible implementation guidance
in that respect.

Thanks,
S.

v2.29.0 | Report a Bug | By Email | System Status