A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Managing and removing automatic version rollback in TLS Clients Author(s) : Yngve N. Pettersen Filename : draft-pettersen-tls-version-rollback-removal-00.txt Pages : 6 Date : 2012-07-03 Abstract: Ever since vendors started deploying TLS 1.0 clients, these clients have had to handle server implementations that do not tolerate the TLS version supported by the client, usually by automatically signaling an older supported version instead. Such version rollbacks represent a potential security hazard, if the older version should become vulnerable to attacks. The same history repeated when TLS Extensions were introduced, as some servers would not negotiate with clients that sent these protocol extensions, forcing clients to reduce protocol functionality in order to maintain interoperability. This document outlines a procedure to help clients decide when they may use version rollback to maintain interoperability with legacy servers, under what conditions the clients should not allow version rollbacks, such as when the server has indicated support for the TLS Renegotiation Information extension. The intention of this procedure is to limit the use of automatic version rollback to legacy servers and eventually eliminate its use. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-pettersen-tls-version-rollback-removal There's also a htmlized version available at: http://tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt