I think if we ship the keys over some kind of secure socket layer we should be okay, right?
From: Yoav Nir <ynir.i...@gmail.com> Date: Thursday, March 15, 2018 at 6:41 PM To: Richard Barnes <r...@ipv.sx> Cc: Rich Salz <rs...@akamai.com>, Hubert Kario <hka...@redhat.com>, "tls@ietf.org" <tls@ietf.org> Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3 IIUC not quite. There is an API, so the application that uses the library can get the keys. The application can then save it to a file, send it to a central repository, send it to the government, or whatever else it might want to do. There is no built-in setting where OpenSSL writes the keys to a file, nor do applications such as web servers do this AFAIK. It should not be difficult to write, but is not provided in off-the-shelf software. Making the library send this in-band in some protocol extension is a far bigger endeavor. It’s also a dangerous switch to leave lying around. On 16 Mar 2018, at 0:16, Richard Barnes <r...@ipv.sx<mailto:r...@ipv.sx>> wrote: Just to confirm that I understand the scope of the discussion here: - TLS libraries have facilities to export keys from the library - Obviously, it's possible to ship these exported keys elsewhere (`tail -f $SSLKEYLOGFILE | nc $LOGBOX`) So all we're really talking about is whether to define a way to do the shipment of the exported keys in-band to the TLS session. On Thu, Mar 15, 2018 at 3:05 PM, Salz, Rich <rs...@akamai.com<mailto:rs...@akamai.com>> wrote: This is what OpenSSL provides: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_keylog_callback.html _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
