Re: [Last-Call] Artart last call review of draft-ietf-uta-rfc7525bis-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Cullen, thanks very much for the review.

 

Just a quick comment on the PS vs BCP point:

 

On Friday, 8 July 2022 at 15:18, Cullen Jennings via Datatracker <noreply@xxxxxxxx> wrote:

> [snip]

> I don't think BCP is the appropriate status for this. I think it

> should be PS.  It explicitly says that is not trying to change

> existent advice in existing RFC and theses will need other RFC to

> "modernize" them.

 

RFC 8996 (which is BCP) has already done the heavy lifting for us.

We are not saying anything new here.

 

> I note that www.google.com, www.apple.com, www.mozialla.org all offer

> TLS 1.0 and 1.1 when I checked from Vancouver on July 8. Please note I

> did a total half ass job of checking so if I am just wrong about this,

> please correct me. Theses people are not clueless about TLS and there

> is significant down side that is not discussed here. I have seen the

> issues that come up when Cisco turned off TLS 1.0 and 1.1for

> www.cisco.com. The authors of protocol version X+1 tend to believe

> that turning off all versions before X is the right thing to do so

> people can get the benefits of all the new shiny stuff in X+1, but in

> many case the test and review cycle shows that a slower roll out is

> needed. I see no evidence of any discussion of how that will work out

> for things that use HTTP but are not browsers.

 

I keep an eye on data from a cute crawler [0] that regularly scans the

top 1 million web sites, and twice per year makes a summary of the

trends.  (You can find the freshly collected raw data [1] as well as the

most recent summary [2].)

 

What I gather from that data set is that the amount of traffic < 1.2 is

becoming quasi invisible (*).  So I would be really surprised if

Mozilla, Apple and Google, which are surely captured by the crawler,

were among the very few caught red-handed supporting ver [1.0, 1.1].

 

cheers, t

 

(*) Sure, HTTP is only a fraction of what sits on top of (D)TLS, and the

top 1M is a fraction of a fraction, but still.

 

[0] https://crawler.ninja

[1] https://crawler.ninja/files/

[2] https://scotthelme.co.uk/top-1-million-analysis-june-2022/

 

 

 

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. 
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux