In section 5.1 of RFC8995, we say: > Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is > REQUIRED on the Pledge side. TLS 1.3 (or newer) SHOULD be available > on the Registrar server interface, and the Registrar client > interface, but TLS 1.2 MAY be used. TLS 1.3 (or newer) SHOULD be > available on the MASA server interface, but TLS 1.2 MAY be used.
and in section 5.4: > Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is > REQUIRED. TLS 1.3 (or newer) SHOULD be available. In TLS 1.3, the "SNI" is mandatory. In TLS 1.2, SNI is defined at: https://datatracker.ietf.org/doc/html/rfc6066#section-3 and it's not mandatory, but it's highly recommended, and all browsers implement it today, and so one can depend upon it being present at the server side. Without SNI, each HTTPS tenant needs it's own IP address. In IPv6, this isn't a big deal. In IPv4, it is. TLS has been a justification to ask for multiple IPv4 in the past, but this is not flying as often anymore. I guess that I regret we did not write: > Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer (with RFC6066 > SNI support) is REQUIRED. TLS 1.3 (or newer) SHOULD be available. I don't know if is worth an errata. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
