On Thu, 23 Nov 2023, Rob Sayre wrote:
If we create a new version of NETCONF over the next few years, which is seeming a bit more likely, then mandating TLS
1.3 (or later) for that new version makes more sense to me since other development and changes will be happening at the
same time and so it seems like a natural time to update to the latest security as well.
I think it's just a matter of allowing a transition to TLS 1.3-only to begin now. I definitely agree that most implementations will
continue to support TLS 1.2, so I'm not sure what the MUST for TLS 1.2 really does here. It sounds like the WG wants to wait another
5 years or so for that transition, by which time TLS 1.2 will be 20 years old. If that's the case, ok, but that seems really slow to
me.
Why not: MUST support either TLS 1.2 or TLS 1.3, and SHOULD support TLS 1.3 ?
Implementations are encourages to follow the recommendations in RFC9325
for the respective TLS version(s).
Mandating 1.3 now will just get ignored.
Paul
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
