On Wed, Dec 2, 2020, 3:18 PM Ackermann, Michael <MAckermann@xxxxxxxxx> wrote: > > Barbara, > Thanks. > And I think I was aware of all you state below regarding TLS, and apologize for any related confusion regarding IPv6, even though, for the purposes of my comment, they are similar. > > > I don't disagree with anything you say on the TLS subject, which is essentially that prior versions of TLS may be considered insecure, etc. and should be deprecated..... Shouldn't we publish a document saying that? It seems this would represent consensus, even your view of the issue. > > My associated point is that Enterprises are generally not aware of this and that it is not currently on our Planning or Budget Radars. TLS 1.2 has been around for how many years? All versions of OpenSSL without support have been EOL for some time. How many other CVE remain to be found in them? FIPS, PCI etc are all very clear that old TLS is going away. Browsers have supported TLS 1.2 for years. So has Windows. This depreciation should be easy given the extent of support for TLS 1.2. I bet that most services you run are already using TLS 1.2 or even 1.3 because the client and server have been updated. > Further, this means we are potentially years from effectively and operationally addressing such issues. Let's be about it. > And we must do so in conjunction with Partners, Clouds, Clients and others. > And my general, overall point is that the answer to addressing the above is to find way(s) of making Enterprises aware and possibly assisting with methods of addressing. I think I also said this problem is not unique to TLS or IPv6. More, it is a lack of understanding of how things work within Enterprise Networks and the lack of Enterprise engagement in Standards Development processes. > And finally, this may not be a gap that the IETF should care about or address, but someone should, IMHO. Your argument against the current text seems to be the following: we have a problem. It is inconvenient for me that you will ask me to deal with the problem. Therefore I would like the problem to not be acknowledged. Perhaps I am being too uncharitable. But I fail to see how softening the language eases depreciation, or what the consequence you fear happening are. You're free to continue ignoring the RFC series. But reality does not go away if it is ignored. Sincerely, Watson Ladd > > Thanks > > Mike -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
