At Sat, 19 May 2007 20:34:06 -0700, Tim Bray wrote: > > On 5/18/07, Robert Sayre <sayrer@xxxxxxxxx> wrote: > > I think the substituted text is inadequate, because it is not clear > > which TLS version implementors MUST support. As I understand it, the > > fact that it is "tricky", implying there may be trade-offs, is not > > sufficient to avoid specifying a single, mandatory-to-implement TLS > > version. > > Well Rob, I think the community at large and the IESG in particular > would welcome suggestions on what to do with this one. In fact, we > know what's going to happen: implementors will use the default TLS > library for whatever platform they're on, and this will do the job, > most times. However, I think that we have better-than-rough consensus > that the specification landscape is a mess, making normative > references a bitch, and that this will probably bite nearly > everything in the Apps area from here on in. > > I hope someone with the necessary expertise will take this bull by the > horns. -Tim I agree that these specs should explicitly specify which TLS version to support. As a practical matter, this is either 1.0 or 1.1, since 1.2 is not yet finished. Unfortunately, which one to require isn't really something that can be decided on technical grounds: the protocols are very slightly different and (at least in theory) backward compatible. TLS 1.1 is slightly more secure and TLS 1.0 is quite a bit more widely deployed. On balance, I think this probably turns into a MUST for 1.0 and a SHOULD for 1.1, but I could certainly see this argued another way. -Ekr _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf