Re: TLS requirements (Last Call: draft-ietf-atompub-protocol to Proposed Standard)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2007-05-22 07:51, Philip Guenther wrote:
On Mon, 21 May 2007, Jeffrey Hutzelman wrote:
...
It seems to me that specs should _not_ explicitly specify which TLS version to support, and should instead refer to an STD number. Applications don't generally specify which verisons of IP or TCP to use, and TLS is at a similar level of abstraction -- except that the situation is not as painful, because using a different version of IP means you have to use completely different names, whereas using a different version of TLS does not.

We expect application protocols that require TLS to specify a mandatory- -to-implement ciphersuite to guarantee interoperability between clients and servers. How is the TLS version any different? A client that only supports TLS 1.0 will fail at handshake time if the server only supports TLS 1.1. Therefore, if interoperability is the goal, requiring support for a specific version is necessary.

Since as you point out, TLS has version negotiation, don't you mean
"support for at least one specific version is necessary"? And presumably
that would be a version whose security is believed to be minimally
adequate, with all earlier versions being forbidden. For example
  Implementations SHOULD support TLS 1.1 or later, MUST support TLS 1.0,
  MAY support SSLv3, and MUST NOT support SSLv2 or earlier.

      Brian
--
NEW: Preferred email for non-IBM matters: brian.e.carpenter@xxxxxxxxx

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]