On Sun, Nov 18, 2018 at 10:50:37PM -0500, Keith Moore wrote:
> Would it be appropriate for IETF to issue an RFC that states that
> despite the similarity in names, use of such variants of TLS MUST NOT be
> used to claim compliance with IETF specifications requiring TLS, and
> generally warning the IETF community of deliberate efforts to weaken
> application security?
I was having real difficulties with the above sentence.
Maybe it's missing punctuation (I don't see any missing as I look now), but I
suspect it was just ENOTENOUGHCAFFEINE on my part.
I thought that other entities were using RFC2119 language of the form:
"TLS MUST NOT"
and I just couldn't figure out how that was going work in a sentence.
A day later and now I understand that other entites are using "varients of
TLS" to claim that they are in compliance with IETF specifications requiring
TLS.
Like, "Use TLS but, instead of encrypting the text, just send what you
you were gong to encrypt, over the wire as-is" :-)
And we should (should we?) write a document saying that they MUST NOT do so.
Or as Ben just asked, do a liason.
{Can someone write an April 1 RFC about Liasons between SDOs, involving Microfilm?}
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx>, Sandelman Software Works
-= IPv6 IoT consulting =-
Attachment:
signature.asc
Description: PGP signature
