generated from martinthomson/internet-draft-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Script updating gh-pages from 058feaa. [ci skip]
- Loading branch information
ID Bot
committed
Oct 21, 2024
1 parent
0bb24f5
commit 43af1c6
Showing
3 changed files
with
200 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1031,7 +1031,7 @@ | |
| </tr></thead> | ||
| <tfoot><tr> | ||
| <td class="left">Rosomakho & Tschofenig</td> | ||
| <td class="center">Expires 23 April 2025</td> | ||
| <td class="center">Expires 24 April 2025</td> | ||
| <td class="right">[Page]</td> | ||
| </tr></tfoot> | ||
| </table> | ||
|
|
@@ -1044,12 +1044,12 @@ | |
| <dd class="internet-draft">draft-ietf-tls-ech-keylogfile-latest</dd> | ||
| <dt class="label-published">Published:</dt> | ||
| <dd class="published"> | ||
| <time datetime="2024-10-20" class="published">20 October 2024</time> | ||
| <time datetime="2024-10-21" class="published">21 October 2024</time> | ||
| </dd> | ||
| <dt class="label-intended-status">Intended Status:</dt> | ||
| <dd class="intended-status">Informational</dd> | ||
| <dt class="label-expires">Expires:</dt> | ||
| <dd class="expires"><time datetime="2025-04-23">23 April 2025</time></dd> | ||
| <dd class="expires"><time datetime="2025-04-24">24 April 2025</time></dd> | ||
| <dt class="label-authors">Authors:</dt> | ||
| <dd class="authors"> | ||
| <div class="author"> | ||
|
|
@@ -1104,7 +1104,7 @@ <h2 id="name-status-of-this-memo"> | |
| time. It is inappropriate to use Internet-Drafts as reference | ||
| material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p> | ||
| <p id="section-boilerplate.1-4"> | ||
| This Internet-Draft will expire on 23 April 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p> | ||
| This Internet-Draft will expire on 24 April 2025.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p> | ||
| </section> | ||
| </div> | ||
| <div id="copyright"> | ||
|
|
@@ -1200,7 +1200,7 @@ <h2 id="name-conventions-and-definitions"> | |
| appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p> | ||
| </section> | ||
| </div> | ||
| <div id="sslkeylogfile-labels-for-ech"> | ||
| <div id="labels"> | ||
| <section id="section-3"> | ||
| <h2 id="name-sslkeylogfile-labels-for-ec"> | ||
| <a href="#section-3" class="section-number selfRef">3. </a><a href="#name-sslkeylogfile-labels-for-ec" class="section-name selfRef">SSLKEYLOGFILE Labels for ECH</a> | ||
|
|
@@ -1245,19 +1245,107 @@ <h2 id="name-security-considerations"> | |
| <p id="section-5-3.1.1">Access to the ECH_SECRET record in the SSLKEYLOGFILE allows the attacker to decrypt the ECH extension and thereby reveal the content of the ClientHello message, including the payload of the Server Name Indication (SNI) extension.<a href="#section-5-3.1.1" class="pilcrow">¶</a></p> | ||
| </li> | ||
| <li class="normal" id="section-5-3.2"> | ||
| <p id="section-5-3.2.1">Access to the HPKE-established shared secret introduces a potential attack surface against the HPKE library since access to this keying material is not ncessarily available otherwise.<a href="#section-5-3.2.1" class="pilcrow">¶</a></p> | ||
| <p id="section-5-3.2.1">Access to the HPKE-established shared secret introduces a potential attack surface against the HPKE library since access to this keying material is normally not available otherwise.<a href="#section-5-3.2.1" class="pilcrow">¶</a></p> | ||
| </li> | ||
| </ul> | ||
| <p id="section-5-4">Implementers <span class="bcp14">MUST</span> take measures to prevent unauthorized access to the SSLKEYLOGFILE text file.<a href="#section-5-4" class="pilcrow">¶</a></p> | ||
| <p id="section-5-5">According to SSLKEYLOGFILE specification <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span>, this extension is intended for use in systems where TLS only protects test data. While the access this information provides to TLS connections can be useful for diagnosing problems during development, this mechanism <span class="bcp14">MUST NOT</span> be used in a production environment.<a href="#section-5-5" class="pilcrow">¶</a></p> | ||
| <p id="section-5-5">As per the SSLKEYLOGFILE specification <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span>, this extension is intended for use in environments where TLS protects only test data. While the access it provides to TLS connections can be valuable for debugging during development, this mechanism <span class="bcp14">MUST NOT</span> be used in production environments. To minimize the risk of accidental activation in production, implementers <span class="bcp14">SHOULD</span> incorporate appropriate compile-time controls.<a href="#section-5-5" class="pilcrow">¶</a></p> | ||
| </section> | ||
| </div> | ||
| <div id="iana-considerations"> | ||
| <section id="section-6"> | ||
| <h2 id="name-iana-considerations"> | ||
| <a href="#section-6" class="section-number selfRef">6. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a> | ||
| </h2> | ||
| <p id="section-6-1">This document has no IANA actions.<a href="#section-6-1" class="pilcrow">¶</a></p> | ||
| <p id="section-6-1">IANA is requested to create a new registry "SSLKEYLOGFILE Labels", within the existing "Transport Layer Security (TLS) Parameters" registry page. | ||
| This new registry reserves labels used for SSLKEYLOGFILE entries. | ||
| The initial contents of this registry are as follows.<a href="#section-6-1" class="pilcrow">¶</a></p> | ||
| <table class="center" id="table-1"> | ||
| <caption><a href="#table-1" class="selfRef">Table 1</a></caption> | ||
| <thead> | ||
| <tr> | ||
| <th class="text-left" rowspan="1" colspan="1">Value</th> | ||
| <th class="text-left" rowspan="1" colspan="1">Description</th> | ||
| <th class="text-left" rowspan="1" colspan="1">Reference</th> | ||
| </tr> | ||
| </thead> | ||
| <tbody> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">CLIENT_RANDOM</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Master secret in TLS 1.2 and earlier</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">CLIENT_EARLY_TRAFFIC_SECRET</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Secret for client early data records</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">EARLY_EXPORTER_MASTER_SECRET</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Early exporters secret</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">CLIENT_HANDSHAKE_TRAFFIC_SECRET</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Secret protecting client handshake</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">SERVER_HANDSHAKE_TRAFFIC_SECRET</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Secret protecting server handshake</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">CLIENT_TRAFFIC_SECRET_0</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Secret protecting client records post handshake</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">SERVER_TRAFFIC_SECRET_0</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Secret protecting server records post handshake</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| <tr> | ||
| <td class="text-left" rowspan="1" colspan="1">EXPORTER_SECRET</td> | ||
| <td class="text-left" rowspan="1" colspan="1">Exporter secret after handshake</td> | ||
| <td class="text-left" rowspan="1" colspan="1"> | ||
| <span>[<a href="#I-D.ietf-tls-keylogfile" class="cite xref">I-D.ietf-tls-keylogfile</a>]</span> | ||
| </td> | ||
| </tr> | ||
| </tbody> | ||
| </table> | ||
| <p id="section-6-3">This documents defines two additional labels in <a href="#labels" class="auto internal xref">Section 3</a>:<a href="#section-6-3" class="pilcrow">¶</a></p> | ||
| <ul class="normal"> | ||
| <li class="normal" id="section-6-4.1"> | ||
| <p id="section-6-4.1.1">ECH_SECRET, which contains KEM shared secret for the ECH<a href="#section-6-4.1.1" class="pilcrow">¶</a></p> | ||
| </li> | ||
| <li class="normal" id="section-6-4.2"> | ||
| <p id="section-6-4.2.1">ECH_CONFIG, which contains ECHConfig used for construction of the ECH<a href="#section-6-4.2.1" class="pilcrow">¶</a></p> | ||
| </li> | ||
| </ul> | ||
| <p id="section-6-5">New assignments in the "SSLKEYLOGFILE Labels" registry will be administered by IANA through Expert Review <span>[<a href="#RFC8126" class="cite xref">RFC8126</a>]</span>. | ||
| Designated Experts are requested to ensure that defined labels do not overlap in names or semantics, and have clear definitions.<a href="#section-6-5" class="pilcrow">¶</a></p> | ||
| <p id="section-6-6">Registration requests must be sent to the [email protected] mailing list for review and comment, with an appropriate subject | ||
| (e.g., "Request for SSLKEYLOGFILE Label: example").<a href="#section-6-6" class="pilcrow">¶</a></p> | ||
| <p id="section-6-7">Within the review period of two weeks, the Designated Experts will either approve or deny the registration request, | ||
| communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, | ||
| suggestions as to how to make the request successful.<a href="#section-6-7" class="pilcrow">¶</a></p> | ||
| <p id="section-6-8">IANA must only accept registry updates from the Designated Experts and should direct all requests for registration | ||
| to the TLS mailing list.<a href="#section-6-8" class="pilcrow">¶</a></p> | ||
| </section> | ||
| </div> | ||
| <div id="sec-combined-references"> | ||
|
|
@@ -1283,6 +1371,10 @@ <h3 id="name-normative-references"> | |
| <dd> | ||
| <span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>></span>. </dd> | ||
| <dd class="break"></dd> | ||
| <dt id="RFC8126">[RFC8126]</dt> | ||
| <dd> | ||
| <span class="refAuthor">Cotton, M.</span>, <span class="refAuthor">Leiba, B.</span>, and <span class="refAuthor">T. Narten</span>, <span class="refTitle">"Guidelines for Writing an IANA Considerations Section in RFCs"</span>, <span class="seriesInfo">BCP 26</span>, <span class="seriesInfo">RFC 8126</span>, <span class="seriesInfo">DOI 10.17487/RFC8126</span>, <time datetime="2017-06" class="refDate">June 2017</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8126">https://www.rfc-editor.org/rfc/rfc8126</a>></span>. </dd> | ||
| <dd class="break"></dd> | ||
| <dt id="RFC8174">[RFC8174]</dt> | ||
| <dd> | ||
| <span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span><<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>></span>. </dd> | ||
|
|
@@ -1326,7 +1418,7 @@ <h3 id="name-informative-references"> | |
| <h2 id="name-acknowledgments"> | ||
| <a href="#name-acknowledgments" class="section-name selfRef">Acknowledgments</a> | ||
| </h2> | ||
| <p id="appendix-A-1">We would like to thank Stephen Farrell, Martin Thomson and Peter Wu for their review comments.<a href="#appendix-A-1" class="pilcrow">¶</a></p> | ||
| <p id="appendix-A-1">We would like to thank Stephen Farrell, Rich Salz, Martin Thomson and Peter Wu for their review comments.<a href="#appendix-A-1" class="pilcrow">¶</a></p> | ||
| </section> | ||
| </div> | ||
| <div id="authors-addresses"> | ||
|
|
||
Oops, something went wrong.