As an Enterprise person I can say we are not well equipped to be aware of nor react "Nimbly" to changes such as this. Wide scope and security related changes can require major changes to core Business systems. This can mean significant time, effort and/or $$$. The biggest barrier is that this topic is not currently on the Planning or Budget radar at all, and usually takes 1-2 years (or more) to achieve either. On one side of such issues, I don't think IETF understands the above and on the other side Enterprises are unaware of developments at IETF and other SDO's. Bridging that important gap is not unique to this topic. -----Original Message----- From: TLS <tls-bounces@xxxxxxxx> On Behalf Of Eliot Lear Sent: Wednesday, December 2, 2020 5:54 AM To: Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> Cc: draft-ietf-tls-oldversions-deprecate@xxxxxxxx; last-call@xxxxxxxx; STARK, BARBARA H <bs7652@xxxxxxx>; tls@xxxxxxxx; tls-chairs@xxxxxxxx Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice [External email] > On 2 Dec 2020, at 11:44, Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx> wrote: > > > It's actually the complete opposite, they will have every difficulty > in doing so. You've got systems engineers whose job it is to keep > things running at all costs, or where the effort to replace/upgrade is > almost insurmountable, who now have to deal with pronouncements from > standards groups that insist they not keep things running. I don't > know where you get this idea that this will cause "no difficulty" > from, it's a source of endless difficulty and frustration due to the > clash between "we can't replace or upgrade these systems at the > moment" and "there's some document that's just popped up that says we need to take them out of production and replace them”. That is as it should be. Let everyone understand the risks and make informed decisions. This draft does an excellent job at laying out the vulnerabilities in TLS 1.0 and 1.1. What it cannot do is adjudicate risk in every situation. If someone has done so and decided that the risk is acceptable, very well. They went in eyes wide open, and Stephen and friends helped. Eliot The information contained in this communication is highly confidential and is intended solely for the use of the individual(s) to whom this communication is directed. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information is prohibited. Please notify the sender, by electronic mail or telephone, of any unintended receipt and delete the original message without making any copies. Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
