On Fri, Jul 8, 2022 at 7:19 AM Cullen Jennings via Datatracker <noreply@xxxxxxxx> wrote:
I don't think BCP is the appropriate status for this. I think it should be PS.
It explicitly says that is not trying to change existent advice in existing RFC
and theses will need other RFC to "modernize" them. I note that www.google.com,
www.apple.com, www.mozialla.org all offer TLS 1.0 and 1.1 when I checked from
Vancouver on July 8.
Some of these sites don't require TLS at all (Google Search doesn't), so I think supporting older TLS versions makes sense in that case.
I think a lot of them choose to answer every request for public data over any TLS version or unencrypted connections.
As time goes on, more big public sites redirect all "http" requests to "https", but still do not care which version the client is using. After all, they were answering over HTTP before.
I see no evidence of any
discussion of how that will work out for things that use HTTP but are not
browsers.
There just aren't that many implementations on the client side. Not only do you have to implement all of the HTTP versions and TLS, but you have to maintain all of the PKI stuff as well. Obviously, people do it, but they are not the ones that need to read this document.
If the TLS library is not one also used by the OS and a browser (NSS, SecureTransport, etc), it's probably OpenSSL. I don't think this is an oversight in the document.
thanks,
Rob
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
