I'll argue just a little more then shut up...
On 12/03/2024 22:55, Martin Thomson wrote:
Sorry also for a late suggestion, but how'd we feel about adding some text like this to 1.1?"An implementation, esp. a server, emitting a log file such as this in a production environment where the TLS clients are unaware that logging is happening, could fall afoul of regulatory requirements to protect client data using state-of-the-art mechanisms."
I agree with Ekr. That risk is not appreciably changed by the existence of a definition for a file format.
I totally do consider our documenting this format increases the risk that production systems have such logging enabled, despite our saying "MUST NOT." So if there's a way to further disincentivise doing that, by even obliquely referring to potential negative consequences of doing so, then I'd be for doing that. Hence my suggestion. S.
OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
