On Dec 2, 2020, at 9:58 AM, Ackermann, Michael <MAckermann@xxxxxxxxx> wrote:
It’s important not to catastrophize this. The IETF understands perfectly well how this process works. We write and publish RFCs, and industry (we hope!) follows. It’s a pipeline: an event happens in the IETF, it trickles out through your service providers and network product vendors, and ultimately, at some time usually quite long after the RFC is published, you have to take action. The situation right now is that it’s been known for a long time that RC4 and MD5 are not safe to use. Your vendors have known about this for a long time. If they do not have a roll-out plan for software that corrects the problem, you have chosen the wrong vendors. Look at your agreements with them. Are they honoring them? If not, you have recourse. If you didn’t contract with them to anticipate change, it’s time to go fix that. Stop pretending that we live in a world where we can ignore advances in technology. We don’t. If your current plans don’t assume that every bit of tech gear you have in every rack in every machine room and every hospital room will have to be upgraded at least every five years or so, hopefully in software, then change your plans now. Stop arguing with us and go do that. Because even if browser vendors don’t follow this change quickly, you can be sure that malware writers will. Hospital after hospital keeps getting taken down with the same malware. Lives are on the line. People have died because of this. You should be working to fix that, not trying to get us to stop asking you to fix it. |
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
