Alan DeKok <al...@deployingradius.com> wrote:
> (Not speaking as UTA chair)
> On Apr 8, 2025, at 12:05 PM, Toerless Eckert <t...@cs.fau.de> wrote:
>> Recommending, but not requiring the use of TLS 1.3 is unfortunately
necessary for
>> quite a while for the much larger space of IOT equipment and protocols
written
>> for non-browser enviroments where IOT equipment is important to be
supported.
>> Such IOT equipment often comes with SDK that can not be upgraded for
long periods of
>> time, sometimes as long as 10 years or longer, and/or solutions where
upgrade of SDK
>> (including OS) would require very expensive re-certification such as
FIPS 140 or
>> required regulatory requirements.
> i.e. these systems can be upgraded with new protocols, but not with
updates to TLS?
> That seems unfortunate.
Yes. for instance, you can deploy new applications to containers within a
farm of application processors, but you can't upgrade the hardware TLS load
balancer.
Or, you can write new application level code, but the base embedded system,
which contains TLS as part of the SDK, can not be upgraded without a new review.
> Perhaps a different question is "Do we want to avoid mandating TLS 1.3
> for everyone *else* in the world, simply because one use-case refuses
> to upgrade?"
> My answer to that would be "no". The benefit gained everywhere else by
> mandating TLS 1.3 likely outweighs the minor problems of one use-case
> who chooses to ignore that mandate.
That's fine, just please don't ask us to revise a 5yr old protocol, which we
are extending, and which already says, "please do TLS 1.3 if you can" with
"MUST do TLS 1.3".
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
