below.. On 07-Jul-21 05:15, Michael Richardson wrote: > > In section 5.1 of RFC8995, we say: > >> Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is >> REQUIRED on the Pledge side. TLS 1.3 (or newer) SHOULD be available >> on the Registrar server interface, and the Registrar client >> interface, but TLS 1.2 MAY be used. TLS 1.3 (or newer) SHOULD be >> available on the MASA server interface, but TLS 1.2 MAY be used. > > and in section 5.4: > >> Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is >> REQUIRED. TLS 1.3 (or newer) SHOULD be available. > > In TLS 1.3, the "SNI" is mandatory. > In TLS 1.2, SNI is defined at: > https://datatracker.ietf.org/doc/html/rfc6066#section-3 > and it's not mandatory, but it's highly recommended, and all browsers > implement it today, and so one can depend upon it being present at the server > side. > > Without SNI, each HTTPS tenant needs it's own IP address. > In IPv6, this isn't a big deal. In IPv4, it is. > TLS has been a justification to ask for multiple IPv4 in the past, but this > is not flying as often anymore. > > I guess that I regret we did not write: > >> Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer (with RFC6066 >> SNI support) is REQUIRED. TLS 1.3 (or newer) SHOULD be available. > > I don't know if is worth an errata.
RFC8995 refers to TLS 1.2 but gives no reference for it. Even for TLS 1.3, it doesn't cite RFC8446 in the above extracts, where I think it should. So I think what you really want to say is more like: Use of TLS 1.3 [RFC8446] (or newer) is RECOMMENDED. TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED. Or should that last bit be: TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if TLS 1.3 is not available. I'd say, yes, submit an erratum, even if it ends up as "Held for Document Update". Brian _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
