Thank you, Rich. That's a great idea. I personally believe that the current practice adopted by many pieces of _production_ software to take an environment variable and silently dump sslkeylog in a clear text file is rather reckless and should be strongly discouraged. This functionality must really be available only in development builds and have stronger safeguards than just an environment variable.
Best Regards, Yaroslav On Thu, Jul 25, 2024 at 9:37 AM Salz, Rich <rsalz= 40akamai....@dmarc.ietf.org> wrote: > I support adoption. I want the security considerations to recommend that > this SHOULD be controlled by compile-time options, if possible, and > definitely not enabled in general production use. > > Andrei's suggestion of informational is a good idea. > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
