Hi Alan,
I'm afraid that we need to handle this globally (e.g., in UTA WG), not for
every application.
For example, BCP 195 says:
Nevertheless, this
document does not discourage software from implementing NULL
cipher suites, since they can be useful for testing and debugging.
Cheers,
Med
> -----Message d'origine-----
> De : Alan DeKok <al...@deployingradius.com>
> Envoyé : mardi 26 novembre 2024 12:45
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucad...@orange.com>
> Cc : Heikki Vatiainen <h...@radiatorsoftware.com>; opsawg
> <opsawg@ietf.org>
> Objet : Re: [OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging
> TACACS+ over TLS
>
>
> On Nov 26, 2024, at 1:28 AM, mohamed.boucad...@orange.com wrote:
> >
> > Hi Heikki,
> > I have one comment about the suggestion to indicate that
> draft-ietf-tls-keylogfile is a better option.
> > That spec says actually the following:
> > This format is intended for use in
> > systems where TLS only protects test data. While the access
> that
> > this information provides to TLS connections can be useful
> for
> > diagnosing problems while developing systems, this mechanism
> MUST NOT
> > be used in a production system.
> > I’m not quite sure we can recommend this mechanism here.
>
> The "MUST NOT" above is for administrators, not implementers.
>
> It's perfectly fine for an implementation to support
> SSLKEYLOGFILE. In fact, implementations must support it in order
> for it to be used in a test environment.
>
> I agree with Heikki here, it's a very good idea to
> recommendation that implementations support it, with a caveat
> that adminstrators do not enable it in production.
>
> Alan DeKok.
>
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
OPSAWG mailing list -- opsawg@ietf.org
To unsubscribe send an email to opsawg-le...@ietf.org
