Hi, how about this text: https://github.com/anima-wg/anima-brski-prm/pull/149
{{?I-D.ietf-uta-require-tls13}} allows for continued use of TLS 1.2 for
operational reasons.
{{RFC8995}} restricted itself to requiring TLS 1.2 (but not less) for a
number of reasons including: the need for mutual TLS, and the need for FIPS
certified modules on router and IoT platforms that have long software
lifecycles, and often also include hardware offload of cryptographic options.
FIPS certification is not done on software, but on the binary, and those
binary distributions are often part of a different software lifecycle than
the applications that run on top of it.
On the Registrar and MASA side, mutual TLS authentication combined with
hardware TLS offload requires specific support for extensions, such as those
provided by {{?RFC9440}}.
TLS 1.2 and TLS 1.3 do client authentication at a different point in the
state machine, many frameworks do not at the time of this writing support
both in a bug free manner.
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list -- anima@ietf.org To unsubscribe send an email to anima-le...@ietf.org
