On Nov 26, 2024, at 1:28 AM, mohamed.boucad...@orange.com wrote: > > Hi Heikki, > I have one comment about the suggestion to indicate that > draft-ietf-tls-keylogfile is a better option. > That spec says actually the following: > This format is intended for use in > systems where TLS only protects test data. While the access that > this information provides to TLS connections can be useful for > diagnosing problems while developing systems, this mechanism MUST NOT > be used in a production system. > I’m not quite sure we can recommend this mechanism here.
The "MUST NOT" above is for administrators, not implementers. It's perfectly fine for an implementation to support SSLKEYLOGFILE. In fact, implementations must support it in order for it to be used in a test environment. I agree with Heikki here, it's a very good idea to recommendation that implementations support it, with a caveat that adminstrators do not enable it in production. Alan DeKok. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
