Re: [TLS] [Last-Call] Last Call: (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

2020-12-04 Thread Nick Hilliard 

Ted Lemon wrote on 04/12/2020 22:47:
Why do people buy stuff that’s not upgradeable? Probably because the 
manufacturer doesn’t give them a choice, and there’s no way to force the 
choice. The recent discussions about legally requiring 
firmware-upgradeable IoT devices (e.g. in Singapore) is definitely a 
step in the right direction. For medical devices and medical 
infrastructure, this should have been required, but as far as I know 
still is not.


people don't necessarily buy stuff that's not ungradeable.  They buy 
stuff which has a support lifetime of finite duration.


Manufacturers have no incentive to continue to produce software updates 
for equipment which they stopped selling N years ago, yet the production 
lifetime of the product may well exceed the manufacturer's sales cycle 
for the device.  There aren't credible reasons to think that the problem 
of equipment obsolescence is something that can be fixed by the IETF.


This shouldn't stop the IETF from formally deprecating standards which 
are known to be dysfunctional.


Nick

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [Last-Call] Last Call: (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

2020-12-05 Thread Nick Hilliard 

Ted Lemon wrote on 05/12/2020 01:32:

Of course no product has infinite lifetime, but lots of iot stuff is
expected to be in the walls for 30 years. Radiology equipment lasts
decades. Etc.
yip, this is one of the reasons that medical and other certified 
equipment (e.g. military, industrial, etc) is so expensive to start 
with: there's an expectation of long life and an understanding that this 
is reflected in either the up-front cost or ongoing support / 
maintenance costs.  For the bulk-produced consumer-oriented product 
market, people are not prepared to pay and in any event it's usually 
cheaper to replace equipment than repair or maintain properly - and 
that's even if the product is still relevant.  Who still uses their USR 
Sportster?  Or even their 802.11b wifi access point?  In 10 years time, 
there will be



It’s really natural to think of stuff you buy as being stable and
solid, but when there’s software in it, this cognitive bias requires
serious systems thinking to avoid.


This is only part of a much larger issue relating to the speed of 
technical innovation and separately, consumerism.


What's relevant to the IETF is that it needs to make sound technical 
recommendations about the usability and appropriateness of standards. 
If organisations choose not to keep supporting some or all of their 
product lines, this shouldn't impact the IETF's ability to do its job.


Nick

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls