IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for SSLKEYLOG File

Martin Thomson <mt@lowentropy.net> Tue, 12 March 2024 22:55 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C3BBC14F5EC for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 15:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="tfCudo8T"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="XPMwUPxi"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRmqM5X8sCky for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 15:55:39 -0700 (PDT)
Received: from wfhigh8-smtp.messagingengine.com (wfhigh8-smtp.messagingengine.com [64.147.123.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDEB2C14EB17 for <tls@ietf.org>; Tue, 12 Mar 2024 15:55:38 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfhigh.west.internal (Postfix) with ESMTP id 216C0180009B; Tue, 12 Mar 2024 18:55:32 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Tue, 12 Mar 2024 18:55:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1710284131; x=1710370531; bh=dbE37HflWL nQtSR5m3mxeBF6/ygV8khEcYq8leJq9OM=; b=tfCudo8TBg4iMJX6P+Ovx7kHyH UXgzQ43U5+Hjex440EqTZT/a4v6cdNkwBBvgOoPXRNhRls1eNguQfhPCgqgxhlXw OpEmrLPKPzJwbJ40DMsB+4IdS1X0iZl18g6fBQUr7dvqvU5c1JLrtxX9q4AUXS4F 9qPZS2q5EpRK72xADZCsu2JymBOerkKDAolp6GLGkf10pRLzlFMqojfRow3NHZWm Of7DFoxj/n6045KjWP2DDjgD3OART+Y3t0WOz4gFmB7aOrJokComZZLQJtTP9kIS H6CmHMLeDK3VeWqISQf9UPpdn3ezzhHc3pL8MMSz0Q/l2YwXfvr1VhjiamVA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1710284131; x=1710370531; bh=dbE37HflWLnQtSR5m3mxeBF6/ygV 8khEcYq8leJq9OM=; b=XPMwUPxi/1sQLr0x6RfC6/NUp/PsCSOMA44DElO9gqWG HHf9y2KPlEtfZR8nq2DIdjw8683IfJsfr0ZLTPk1RV0XILmoHDcrEPMLUcOQBXVt jh3Le8SsnnIqdhEpNfmIBWkaw+GuK7kmREMCzfpUiBcHCkG559mFDqoefm9pae90 GFhG14Nb0+obn7VkN0lyAeprU7YCFf37axy1HISS4GDYCACpqLDzq+X7+esq0DqY YSKFyXyw1zqn0V3ONt+SmNoahwaaibelfH7ej/iscDBpwKplMdxoJI2vU0Gst2aw pbw6LaYWppbEMjcZPhumq7bevW2usA1aQuFAnrNzBQ==
X-ME-Sender: <xms:Y93wZc9P8BsvcMQ80R19LR1k92y8jZ2gU-PK-9zy1d1mVnqILXZZRg> <xme:Y93wZUsR0Cnjm0q3kdSYDQGOn-giIujokbodYIdb2Cc_jM8mxvbffsoRiDeYR1eGP 1ukrYooGwKuS1DEJDs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrjeeggddtgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtf frrghtthgvrhhnpeekteeuieektdekleefkeevhfekffevvdevgfekgfeluefgvdejjeeg ffeigedtjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:Y93wZSAXpa81cSCne3PtRHmNHzVfJ66H0an5uvP_IZk7KZ4UpjO5ew> <xmx:Y93wZccEdXJDuYpqmptzz4tPUd2x9fHYHqLgAS9mz9pFlwtCD3mYZg> <xmx:Y93wZROX1RPPZpSglvkJ2JfK2fd9WP4lSaZIJGaGXApj152ImHo98g> <xmx:Y93wZWkBF5jUuq3bIn72XZ0oyoFlzSRN3yU4Hdd6TZBkg69BAShpXg> <xmx:Y93wZSrLrDXh6o2JO3uKvzYnSb-ylvxTXFUxZSYuYPKwOnWlkfU_H7RHasg>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 391D22340080; Tue, 12 Mar 2024 18:55:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-251-g8332da0bf6-fm-20240305.001-g8332da0b
MIME-Version: 1.0
Message-Id: <5027880d-bf70-42e4-8974-7c148db5d737@betaapp.fastmail.com>
In-Reply-To: <cb4d17c5-b2ce-458c-b14f-9882951d2528@cs.tcd.ie>
References: <01AF00B4-F9A5-4A25-A6CB-E1D84CF8D11F@sn3rd.com> <cb4d17c5-b2ce-458c-b14f-9882951d2528@cs.tcd.ie>
Date: Wed, 13 Mar 2024 09:55:10 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Sean Turner <sean@sn3rd.com>, TLS List <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IdYGgx7PuIzXAxdVr6XfcnsVG5U>
Subject: Re: [TLS] Working Group Last Call for SSLKEYLOG File
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 22:55:43 -0000


On Wed, Mar 13, 2024, at 08:39, Stephen Farrell wrote:
> (Apologies to Martin for the grudging acceptance of
> his worthy effort;-)

No apology needed.  Nose-holding is expected :)

> Sorry also for a late suggestion, but how'd we feel about adding
> some text like this to 1.1?
>
>     "An implementation, esp. a server, emitting a log file such
>      as this in a production environment where the TLS clients are
>      unaware that logging is happening, could fall afoul of regulatory
>      requirements to protect client data using state-of-the-art
>      mechanisms."

I agree with Ekr.  That risk is not appreciably changed by the existence of a definition for a file format.  And we do better keeping to the technical implications of choices.

> Another thought occurred to me that I don't recall being mentioned
> before: given we're defining a mime type, that suggests sending
> these files by mail or in an HTTP response. Doing that could
> be leaky, [...]

I see equal opportunity for good things (detecting keylogfiles, deleting them, generating a warning), than bad as a result of writing this down.  See also RFC 8959 (which the IETF did not publish, which I concede undermines my position somewhat...)

v2.23.0 | Report a Bug | By Email