Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx>:
[...] However, if you think that
this has to be on standards track, please provide at least some
argumentation for it.
draft-ietf-tls-downgrade-scsv-03 mandates server-side behavior (in response to certain Client Hello messages) that requires wide deployment to achieve the desired effect, hence Standards Track seems appropriate and Informational status would be insufficient.
I don't agree with your assessment that "Making this a proposed standard, would imply that the flawed technique is into standards track." draft-ietf-tls-downgrade-scsv-03 does not say that clients should implement a downgrade dance, it merely recommends sending a certain signal *if* they choose to do so.
Also note that the point that some clients may use downgraded retries for compatibility with buggy servers *is* already acknowledged by Standards Track RFCs, e.g. RFC 5246 Appendix E.1: "Note: some server implementations are known to implement version negotiation incorrectly. [...] Interoperability with such buggy servers is a complex topic beyond the scope of this document, and may require multiple connection attempts by the client."
Bodo