| Rob:
Slight difference here. If you support TLS 1.2, then you need to meet the listed requirements. If you support TLS 1.3, then you need to meet the listed requirements. We are not telling implementers which one to use.
Russ On Nov 22, 2023, at 3:00 PM, Rob Sayre <sayrer@xxxxxxxxx> wrote:
Hi Rob, I’m not sure that I saw a reply to this (and I’m about to put this in for next week’s telechat so wanted to close off this thread), and I’m also sure that Sean or Russ will correct me if my answer
is wrong, but my understanding is that this document is intended to both add support for TLS 1.3 and also update the TLS 1.2 requirements. [...]
OK, I can live with this rationale. But I will note it's possible to update the TLS 1.2 requirements without requiring TLS 1.2. FWIW, the same argument came up in drafting RFC 9325, and the compromise text was:
"For example, based on knowledge about the deployed base for an existing application protocol and a cost-benefit analysis regarding security strength vs. interoperability, a given service provider might decide to disable TLS 1.2 entirely and offer only TLS 1.3." *
This text drew a distinction between implementations and deployments, which I found to be splitting hairs, but we got extremely rough consensus there. My point is that a MUST for a 15yr-old TLS version doesn't make sense, but I always say that, and am familiar with the circles this argument tends to get into.
thanks, Rob
|
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
