On Fri, Jul 15, 2022 at 10:30:55AM -0700, Rob Sayre wrote: > On Fri, Jul 8, 2022 at 7:19 AM Cullen Jennings via Datatracker < > noreply@xxxxxxxx> wrote: > > > > I see no evidence of any > > discussion of how that will work out for things that use HTTP but are not > > browsers. > > > > There just aren't that many implementations on the client side. Not only do > you have to implement all of the HTTP versions and TLS, but you have to > maintain all of the PKI stuff as well. Obviously, people do it, but they > are not the ones that need to read this document. > > If the TLS library is not one also used by the OS and a browser (NSS, > SecureTransport, etc), it's probably OpenSSL. I don't think this is an > oversight in the document. I think we need to be really careful with what we're considering as the relevant population of clients when making statements like this, and what metric is used to count/weight them. OpenSSL, for example, is terrible for embedded/IoT systems -- it's just not designed to produce a small code size. Mbed TLS (Apache licensed, just like current OpenSSL) is much more appropriate in those environments, which also happen to be ones where the scale/volume of number of devices can become quite relevant quite quickly. So what do you actually think we are/should be measuring? -Ben -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
