[TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH

Andrei Popov <Andrei.Popov@microsoft.com> Sat, 03 August 2024 21:23 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59020C14F5F1 for <tls@ietfa.amsl.com>; Sat, 3 Aug 2024 14:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.255
X-Spam-Level:
X-Spam-Status: No, score=-2.255 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8yKD-wOL8bWR for <tls@ietfa.amsl.com>; Sat, 3 Aug 2024 14:23:17 -0700 (PDT)
Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11020133.outbound.protection.outlook.com [52.101.193.133]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B104C14F5F4 for <tls@ietf.org>; Sat, 3 Aug 2024 14:23:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gUUXuuPLRlVdF3nHKPI7QyvylvxlT7yoINIK4dT/DWyTEmZcvdpDKZqPDpf2aeucRQ2BFl3vK7mcWegnjUlRL1dFQAYHLkGZ17Kc/LZW/CmJ5qSQmUSldXgv/WedAMZb42mgFUq+NxhiQYfKDeZSwU39EWXQCorAhcpW9nDJRg8Tw0pUhxDBKk+dd0ykSIdu5H6khbkbqi9H+GNSbtqfJZRMy/OaxtocpJrD8bH3sN8BVVB+FVkGSJhJej9C10uDbSQnT+iU2mp3h07HdWUxMt028Ey2tfllmgOs6GPuxaZ6ryoVEkwCfaCyK37580NLW9agV7L5tb+UWtOLsY/BwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=W4qFSCXoBFAKNiIWTe/rjUNXJFkZZ95KOqEYy059rBM=; b=vR57C1AEpLfH34Q+cwYgsWNbRf2uVWksxF4EmKP8JW5exCkG7tNhVad3s8UrUH8E07HzceR98z5Phyl0ayuKf6owfz0Uhkv//jDyrb0mOnyV2Gf/xTB6a/s3dV8+hEpPp8Gczewe1bLHdDN2H8JUxeEjHPrfMM6TX/enGXBZWbseUSCzf/ByAznGbSiN8zcQqzzR2fjY1KsKcwBVuyu73m6vL9z7uHO0AHPxKemD8FxanHKBMe56AjbKu9o0o12XsMrtJ0BCvScRINyV7tU/twq0gh03MJBaRus2J43Du10dH5YukUdM6+nQxYRiMD9lbjiuQ+MFRWXYgtEWBk1nkg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W4qFSCXoBFAKNiIWTe/rjUNXJFkZZ95KOqEYy059rBM=; b=JBl7VDs5+LRrZFFbNPcB3tvWOoKA5Cvx+eCTU5LldU65z881v0W3PjlaBYnvEgw6u/SWHZIiJgTPHyUDQ2TmJtQ0Zpx+QkElhWGmrOmaaap4frVbHaCy06jq77Fs9sxUu3Bb2fePjxkL2Mkj3Ui2QVvObH7Fq9YOX4ghxC8qPEY=
Received: from LV8PR21MB4338.namprd21.prod.outlook.com (2603:10b6:408:22c::13) by PH0PR21MB2078.namprd21.prod.outlook.com (2603:10b6:510:aa::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.3; Sat, 3 Aug 2024 21:23:14 +0000
Received: from LV8PR21MB4338.namprd21.prod.outlook.com ([fe80::1f2f:c0d6:2e5c:12aa]) by LV8PR21MB4338.namprd21.prod.outlook.com ([fe80::1f2f:c0d6:2e5c:12aa%3]) with mapi id 15.20.7849.008; Sat, 3 Aug 2024 21:23:14 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "hannes.tschofenig=40gmx.net@dmarc.ietf.org" <hannes.tschofenig=40gmx.net@dmarc.ietf.org>, 'Sean Turner' <sean@sn3rd.com>, 'TLS List' <tls@ietf.org>
Thread-Topic: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH
Thread-Index: AQHa5cNKx6Yn9tdzuEa/FD9Q0/qGyrIWCMmg
Date: Sat, 03 Aug 2024 21:23:14 +0000
Message-ID: <LV8PR21MB433809E7572B86A4590B767F8CBC2@LV8PR21MB4338.namprd21.prod.outlook.com>
References: <7CC88431-A71A-455B-A7A7-BA4AD3C8502C@sn3rd.com> <MN0PR21MB3147C2C3EE7B9115F339ADDE8CAB2@MN0PR21MB3147.namprd21.prod.outlook.com> <029901dae5c3$437addc0$ca709940$@gmx.net>
In-Reply-To: <029901dae5c3$437addc0$ca709940$@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=419ec79d-6bd0-4e98-8263-af69ac916b9c;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-08-03T21:14:41Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR21MB4338:EE_|PH0PR21MB2078:EE_
x-ms-office365-filtering-correlation-id: b41b0afa-950a-4c9c-dab9-08dcb4027bfa
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|4022899009|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: xQezLXNuGvgbr+CYHpUK4ghoXffSKRi6XFcTtMdMcYphlcqHTkEftIQz9dDn8UNeGoVsh6jr6ccOxzazgaOVghNP0s52eeBWMcKc43o3h6PAMGjs0aOVnQUZv+d3WkYT/oN8RSvfVy6VLuJr8N9NHrTIKL7R3WoJ4av2K1IvFVP+2QeBIzefe3KrafdNP2Q1D8DwRDf624rMgjlnz4Nu/DjlBikH35jw3jYC7W8BmQAQp8F5qPv3kWi8uVd1gsQjnF1JVWbCQWZDmnb4aN6g7sczQj7WdU+R5rt1ku6ml6Hu/2i0Kw+N91IVFyqiHEePYEmJhfPiNJviCgOJalSjfIYb0aNV2xB8h+e5qK4299FIZvYm47QW2WouyaPMB2z0+deD5JjqWqooFRDRaiVBupe5q5dmtB+9ohEidjgY9WORf/n3e5qU7jMq/YjW2QOk5H2AynbpsnRg8moQmJxsOPOI8q+GHIokkug7N4sOsD3Ig0W/UBKZy/Kz2i9bt+YWBTp3KHvW0X02VFvOQRlzWXvKv9a9jv4+zJg8emuAXwBrGgol2lwzA0zoDNVuaIEgly1YpGwGqvNTf3+00+iJwikP0oD2jJGV3h/pUUUZF/M+l4S0TaHfJ9t0FwYN8QvGV9Aa00Ev7vTjwt5CViusEkOupT4yaGFZRRGY2bWNHgmM75YALxnYgZmPQqXTe0VflmxuHsiM5PHzHCaQMSK/u8ebM2cg0wF6ZUVI3fpaNVoWgRDcLpGcyVZB9yBqRFnYmafd5Mhh5ajIM2az+0MSrDCyNlIDzwTB8NGmWI9UwMQSlAyb9bHScQNkrMBmGACRnrfm9FEXra/6u0xXe6tsOT3Gqa5mc8T+JADkrpbgunVff9v12RRoVCrNMKrA1nOZGmcz7lI46Xu8M4Ocz6mi0z/u4yNEfldNzlLop0DLEyNF9f+oUcB3OW2l9KXh+LoHGx3gnUKtXmcp+Ik7Y++ZrFAltYLy+eHUFLgehQh4C0OItgWzTzONXzsJloM71k9b8lhEaz1oMaTgm6H4X0saASn42PabEDEoLIgo/TPUA+Upejg14zasl3xsMKOfaTkBpsd8LZlLpT+raMQsSGUe72qROKYf03VeLcGbgE44NKMgpaV5DkCB33wpI/f3Pzxuqz03oMq905W7zG3ofmjMus9DmoVhHmfxQaV46EtffPl9m/HyowQwH2z+hmw2vZ9YCT+0/Ma4a4Xv+HFuNPGaTIN/dJxjAKH2YrT8abDhPy+PdH9bQxRl0UcyvWDFv3CyuZBHwa5axX7uZGMU7ML5P5a6ZQyvpJXGB7fH4tMHTUcRNVHFpti1G+n+5dyHNApKmsbzgDQfFciKUBc0wNlw8/rOlILyMYswAbT2R7+eUZYaUFgNtb3ZqM2azDYuNSJok0KVDXgqWGjalnxfKYAVsQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR21MB4338.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(4022899009)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3GFVsHgkQeL65sKfGNNootvgWd6nWiD8wOmaox+i+F6jh/kZF2baLfjt9huRVyqKHHLk3pZPZ2OlubX4K4YPUWpgXmErkVTPoumi9HnSjDJBtsj0cOcEE2k4XCFpFE4umsnNS7iryXRhZLixIQt2JMR3O82N1i6Zh7R1H7qKQVh934kPOaCbvRQC+0kxJRsln5On2HM4Gb0Ke0vlpNEHUjKD2vID8PpR1Gh+wfCsFfgEoSDFwnPsxsoBIou2r9B51ZbuRGo8ghwAc0MGmRyB1bjN/kymY6ENXK5owdjtryh/sLF79M7aCwTFDE/lo6iwJlDpOEwzRxlnOarF/gIZGHy/h9ks0cPSJn1BV20zVytnlV7oneYsesA2YhlX2qXp6urJgSgBlqRZzhAjYbFA9W7I2Tp14M7Q5nJXMzA5k/9qhtqKFy2jPPDqb+g5DMs/6PYxyWJlBPCqCkgKPzVBVfiUGbCeMlwN1pJhoycvyEvCd8D+3yq3UKCwSoWLnawstVRmhBSG0TsiAyBlv/qUDrpN9MaW4dV5kdEhGNE5K4Ilk73cbCcfCPcUxUCI/l6/T4zoxRKEGiNC8dBnBB/7Kv4mSS1Vhs2+mU+XlCRCghHoYujAtfcm3WdAyGa+f73KUSuuVJN/9jk1N3LTd5WeOhTh2QyMgVnqBDkP7w1khYD2GVkBYRqyDJsTLYtibk1isTsYma0e16vnq6ybDU8+ZI4/aT5+n300+QDPZtLIn7d+IAn4sBpHFig/bN8QmerJ7HF0IRgWx0IkEC3ptVv/Aw1RR7ftlzOkAaOJz3ta9myqDegfWjZL8SGIK05fyWsgpWMiGA3+IUYUgxRiMwrSrxNC8bPLVjkiISHIJm9mJpEXN7uLRCgpHVTgcmLd+F22HMQsM4745oGvtOQ8ni0uSuqGBg+tp+QuKLJ6/71nu78LKKnpuFqoRB07zQn+rc+oLofydNlE2KkClmRQ3cKzcg3rV+Omoj1kh/0jX+qrSLNaqR0sQ9d8yguewbydV5djW/lkFsbKW+TT89iXxHnu2rm/Oo6uS2+QH8pr2AFgPq1Xmc/uYC5s2N8a08tR0zsGilgYH7y8RXQFD1ejJyAfaSuZo+YTsn8KYgQDB4H98RTmDJXMQFxKQk38KxBcnxmFECuDcldaimiDGD+2PelDEfUDdYED8r+OuxvjXYBAVzXrD6nTmnppJ1y+uX7sfQ/d8f/wnMkn37L0WufP6FyH+2d5xwlkXA02IdUYtLXnIHmCHqM16ON8eQebaTqAAIhYKYxHQunmeNDW1/psjU3NdfE9cuLprdsjPNGUaiI3d7+HzH2XaBK+9qIl3e0c7HuZ8wI2MKtJQ5SGJqjaSUwANAqVJDljkxT8ZADOWoIUQeY6pWjTWeMPG7zl50o2Kc7A+0sncvOcY93pJR+ZM007PBw/qA9Dadur+m0LsGa9EVS7P7TFrWskQGEIrS8pZbN0CdbY3qkACPP29I4PRXyuK35fPch+uw4n7EU1dFJbYyU2Vseu73VVV8RwybxWPctXJOZ0tq0XyeiBgE0XAu2dqzrKtD+DAEcIuWj/5DRbBRyTmVKA32CH6NsCdbCzVe5E
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR21MB4338.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b41b0afa-950a-4c9c-dab9-08dcb4027bfa
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Aug 2024 21:23:14.2640 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9Qt4nOEZuMoqytsgIF9/wZwF3od9NM0TREwcAzTgP/6mmgL/Gl0TPocN0uyRKS5CmwTKArjVTigNtz6zZNfyMg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR21MB2078
Message-ID-Hash: 6R47MPWC4HU5NWG6ZHNHODFZ3JLXPBUN
X-Message-ID-Hash: 6R47MPWC4HU5NWG6ZHNHODFZ3JLXPBUN
X-MailFrom: Andrei.Popov@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x3abuSfNhlxbVK3eCJg66l0bqy0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

> as a developer you rely on ways to decrypt traffic for debugging purposes.
As a developer, I use a variety of tools for debugging purposes; in most cases, I find that I have no need to export keys and decrypt TLS ciphertext to diagnose issues.

> The draft does not define a new mechanism but instead relies on and extends an already existing TLS working group item, see...
Yes, I opposed that one also.

> It is a tool for a developer and must be enabled by the developer on one of the involved end points to work.
Correct, and this tool may have its uses. I believe the drawbacks of standardizing this tool at the IETF outweigh the benefits.

Cheers,

Andrei

-----Original Message-----
From: hannes.tschofenig=40gmx.net@dmarc.ietf.org <hannes.tschofenig=40gmx.net@dmarc.ietf.org>
Sent: Saturday, August 3, 2024 9:36 AM
To: Andrei Popov <Andrei.Popov@microsoft.com>; 'Sean Turner' <sean@sn3rd.com>; 'TLS List' <tls@ietf.org>
Subject: RE: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH

[You don't often get email from hannes.tschofenig=40gmx.net@dmarc.ietf.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi Andrei,

as a developer you rely on ways to decrypt traffic for debugging purposes. The draft does not define a new mechanism but instead relies on and extends an already existing TLS working group item, see https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/
Hence, this is not a mechanism that allows a third party in the middle of the network communication to somehow decrypt traffic. It is a tool for a developer and must be enabled by the developer on one of the involved end points to work.

Publishing the draft as informational, much like draft-ietf-tls-keylogfile is, sounds good to me though.

Ciao
Hannes

-----Original Message-----
From: Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>
Sent: Donnerstag, 25. Juli 2024 18:30
To: Sean Turner <sean@sn3rd.com>; TLS List <tls@ietf.org>
Subject: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH

I do not support adoption, because I believe the IETF should not standardize tools and techniques for decrypting TLS-protected data.
It is harder for a TLS implementer to reject requests for IETF-blessed functionality.

(As long as this remains on the Informational track, I believe it's somewhat less harmful.)

Cheers,

Andrei

-----Original Message-----
From: Sean Turner <sean@sn3rd.com>
Sent: Thursday, July 25, 2024 9:16 AM
To: TLS List <tls@ietf.org>
Subject: [EXTERNAL] [TLS]Adoption call for SSLKEYLOG Extension file for ECH

At the IETF 120 TLS session there was interest in adopting the SSLKEYLOG Extension file for ECH I-D (https://datatracker.ietf.org/doc/draft-rosomakho-tls-ech-keylogfile/) This message starts a two-weekl call for adoption. If you support adoption and are willing to review and contribute text, please send a message to the list. If you do not support adoption of this I-D, please send a message to the list and indicate why. This call will close on 8 August 2024.

Thanks,
Sean
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-leave@ietf.org