On 12/8/20 9:07 PM, Stephen Farrell wrote:
(replying to ekr, but really a question for you...)
On 09/12/2020 01:55, Eric Rescorla wrote:
I'm curious, what do you think the point of having this update all the
other documents was if it wasn't to constrain implementations?
When answering that, can you clarify what you mean by
"constrain" and where there's a downside to your idea
of that? It's not clear to me at any rate.
Because the requested status was Best Current Practice, I didn't
interpret this document as saying that implementations of TLS must
prevent operators from enabling TLS versions prior to 1.2.
("Best" implies that other practices can be chosen.)
The downside is that operators may effectively be forced to break
interoperability with existing clients and/or servers, that
provide essential functionality, if some of their software is
upgraded to reflect the recommendations in
draft-ietf-tls-oldversions-deprecate-09. They may be forced to
do this even when the operators have valid operational reasons for
continuing to use TLS < 1.2, have explicitly evaluated the
risks with doing so, used their exception processes to justify
doing so, etc. (Because it's generally not feasible to postpone
upgrades indefinitely or sometimes even for a short time; there
are often interdependencies that preclude doing that.)
Keith
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
