On 11/10/20 1:02 PM, John C Klensin wrote:
For all of the obvious reasons, I think reclassifying these documents to historic is a good idea. _However_ if we are really trying to say "don't use these, they are obsolete and unsafe" rather than just "no current specification refers to them but do what you like", I believe that it would be better to publish a short RFC explaining the issues with them rather than simply making a datatracker note that points to a "supporting document", particularly one that doesn't actually say much of anything.
I agree that some sort of RFC is appropriate. One of my growing concerns is that deprecating old TLS ciphersuites is breaking old systems that are still in use, and actually preventing them from having any of their software upgraded, because there are no web browsers that run on those systems that support the ciphersuites used by current servers.
So IMO, simply saying "don't use these" is NOT good advice, and instead the advice should be something like "treat these ciphersuites as if they were unencrypted connections". I realize that this will make the purists uncomfortable, but I think the discussion needs to be had.
Keith -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
