IETF Logo Mail Archive

[TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Format for TLS

David Benjamin <davidben@chromium.org> Fri, 07 February 2025 19:00 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37BC4C1CAE7D for <tls@ietfa.amsl.com>; Fri, 7 Feb 2025 11:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.402
X-Spam-Level:
X-Spam-Status: No, score=-9.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6RKGaBSwhf0 for <tls@ietfa.amsl.com>; Fri, 7 Feb 2025 11:00:24 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D24DC180B53 for <tls@ietf.org>; Fri, 7 Feb 2025 11:00:24 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-5dc89df7eccso4815727a12.3 for <tls@ietf.org>; Fri, 07 Feb 2025 11:00:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1738954822; x=1739559622; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FfrX7RAI8qtKRHZO23yuNyOlpZIP628w9Y5YGO7arbk=; b=SgFuJppgIhepFcqZMd1AIAq0wDhkVSi1IRRmMTaqpBKI+1LbCVNO0Ecwfw/JvkA0Hq ExUncQRWfpECOXQn7+7fQA0tSaL+mNR+tcr1h/jYu1Qmf5k2KPWO4Mr2z3WBuYa9pwAh B8aRtU/QQ5E93x+TAoSwvyzce3G1ipw0u832E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738954822; x=1739559622; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FfrX7RAI8qtKRHZO23yuNyOlpZIP628w9Y5YGO7arbk=; b=YAWPic2JXX/EtMS0DDCTImzbFMazWue8HmiK16stbjGzxl1oSP+Qa7M4rPNHnKH1FB 1kL18dUQUj1ygmjyeu7/cPiXGJ2p9Ws9jyxpUKVPpIg/7WIxx5h2KxucrfOnR4AcjD+T 6IwFmMcc8+sQii69q2k3FMw92C3IFROlZNPr5AbVValW/1y3LfJd8OpF+IHuXL9BFegw QCdprGkyc2+yIwPCj2heIqR7CYgX1NujoOaS39iXi7y1C+PwmTnZpzRH5cjkwEE2ZRil 56ue4Bxe3cKB14d4LIlFSbbTBB5GZTheV9BWlIyJ+2O8+fCNGYF2t60R3aP8OcoYDp3U s2vg==
X-Forwarded-Encrypted: i=1; AJvYcCVoqWOAccw1f06iNS6N3QZ493f66m9MvtclW7dQRK+LqguBoYMsYsGE7WHtXfogIZMWCBQ=@ietf.org
X-Gm-Message-State: AOJu0Yxc3YEAG1eVWw/8SlaIYfC6CFrrXFs/i9l4Fe/Sn63g6f0V93SI 63gXjiJz1N+uFhoOXw9Oybko7k+/TieWPDo/hczJam5vP/KXFpa6zYzb40o0XahCRIty4QOY1jV LQ87vQV1r/30VJYDj05Sf4ctuD1VPlVDXaJ8=
X-Gm-Gg: ASbGnct2wGEHu4e9tCcQTYdW+Nn4yPxvD6Y6t24+BiLgWyQ6kAycQXuUWYucreMf0qU DXJLifDDsWtqA7lKhp/Y4Mn+uEGRqsbAX0LL4IucpXDH0RqJMnQ9Zd5M9VOITH0r1evfdKNo=
X-Google-Smtp-Source: AGHT+IGygaxtBvPt7pMgciiVOZflT00nTee92uROIwraDCQ6T3NmveaOqW1ITnIgF4VrNodQsGYdYgFIZaZpvelpPzg=
X-Received: by 2002:a05:6402:5202:b0:5d9:cde9:29c6 with SMTP id 4fb4d7f45d1cf-5de458c4984mr4754887a12.27.1738954822347; Fri, 07 Feb 2025 11:00:22 -0800 (PST)
MIME-Version: 1.0
References: <834F10E3-187A-46BA-992F-3FB9C9658965@sn3rd.com> <A923C84D-C19C-42F9-8A01-975A891C47F5@akamai.com> <CAF8qwaDz1GitWFfxdf2QyaWejgx45crHqAdMiTn6Knj9t4CmDw@mail.gmail.com> <7D2E3023-8607-4023-A9F5-1E6BC5A7F292@akamai.com> <CAF8qwaC3AVWHvwAdbCHqSfOUZV=Dym-LPJa-VArSf1nTZrjmWA@mail.gmail.com> <CAF8qwaDJAULvhn3VuXyZWhiw3VZRxWbdt67PsxH4CXeSDU77dw@mail.gmail.com>
In-Reply-To: <CAF8qwaDJAULvhn3VuXyZWhiw3VZRxWbdt67PsxH4CXeSDU77dw@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 07 Feb 2025 14:00:04 -0500
X-Gm-Features: AWEUYZnhtWd0Q7jQzRrfrFiU_VtPQSCWDxqoAZre8IYo_KTOAQp92Eh7kapS7Ss
Message-ID: <CAF8qwaARzxZ-7-qw5D3Rw_bcUTjfyCAgbxrdPo5dV5Ebr-d=qw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="00000000000077f95f062d91f84c"
Message-ID-Hash: ML7BAVZXG75P4UGIBHVMFU3BKTAHOT6C
X-Message-ID-Hash: ML7BAVZXG75P4UGIBHVMFU3BKTAHOT6C
X-MailFrom: davidben@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: 2nd Working Group Last Call for The SSLKEYLOGFILE Format for TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q4f3Tnl1QhfCuujm9GfUrIMai9c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Uploaded https://github.com/tlswg/sslkeylogfile/pull/22 to fix the typo.

On Fri, Feb 7, 2025 at 1:56 PM David Benjamin <davidben@chromium.org> wrote:

> On Fri, Feb 7, 2025 at 1:55 PM David Benjamin <davidben@chromium.org>
> wrote:
>
>> Accepting both labels gets super messy because then we have to make a
>> bunch of decisions like whether you output both labels on the logging side.
>>
>> But we can just do a bit of research here:
>> - In IETF land, EARLY_EXPORTER_MASTER_SECRET dates to the start of the
>> I-D, but...
>> - The shorter EXPORTER_SECRET name for the non-early secret dates to the
>> earliest proposals for TLS 1.3 here:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1287711
>> - BoringSSL does not output this label
>> - OpenSSL does not output this label
>>
>
> Correction: OpenSSL outputs this label but uses EARLY_EXPORTER_SECRET. Had
> the wrong grep. :-)
>
>
>> - NSS outputs this label but uses EARLY_EXPORTER_SECRET
>> - Wireshark consumes this label but uses EARLY_EXPORTER_SECRET
>>
>> So I think EARLY_EXPORTER_MASTER_SECRET was just a typo and should always
>> have been EARLY_EXPORTER_SECRET. Unless there's any evidence that someone
>> actually relies on the EARLY_EXPORTER_MASTER_SECRET label (very, very
>> unlikely given both the history of early exporters and the history of this
>> SSLKEYLOGFILE integration), I think the answer is clear: No, we should not
>> accept both labels. We should simply fix it to say EARLY_EXPORTER_SECRET
>> and move on.
>>
>> David
>>
>> On Fri, Feb 7, 2025 at 1:33 PM Salz, Rich <rsalz@akamai.com> wrote:
>>
>>> The question is really "should we accept both names?"
>>>
>>>

v2.29.0 | Report a Bug | By Email | System Status