While I agree that TLSv1.0 and TLSv1.1 should be avoided as much as
possible, I believe this document fails to consider that there are old
systems that are still in use that cannot be upgraded. Strict
implementation of the MUST NOT rules in this document can even prevent
those systems from be
Keith,
Thanks for your note. Most of the general points you raise here were
discussed
when the TLS WG decided to move forward with this draft [0], though
perhaps some of that is not reflected in the text. Of course that
doesn't make this points invalid, so I'll try to summarize my
view of the rati
On 11/27/20 9:53 PM, Eric Rescorla wrote:
Keith,
Thanks for your note. Most of the general points you raise here were
discussed
when the TLS WG decided to move forward with this draft [0], though
perhaps some of that is not reflected in the text. Of course that
doesn't make this points invali
Reviewer: Dale Worley
Review result: Ready
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.
For more information
Hi Keith,
Thanks for your note. I think it's clear we see things differently,
and I don't think it's that useful to get into an extended back and
forth on those points. Accordingly I've done a fair bit of trimming to
focus on the points where I think you may have misunderstood me
(perhaps due to u
Looking at https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-09
§2:
§2 ¶5 has «TLS 1.3, specified in TLSv1.3 [RFC8446]…».
§2 ¶4 has «TLSv1.2, specified in RFC5246 [RFC5246]…»
§2 ¶3 has «TLS 1.1, specified in [RFC4346]…»
Were these
On 11/27/20 11:30 PM, Eric Rescorla wrote:
Well, I can't speak to how it sounds to you, but it's not a marketing
argument but rather a security one. This is easiest to understand in
the context of the Web, where you have a reference that contains one
bit: http versus https,and all https content
Well, I think our respective positions are clear, so I'll just limit myself
to one point.
On Fri, Nov 27, 2020 at 8:43 PM Keith Moore
wrote:
> >
> >
> > > > I'm not sure what clients you're talking about, but for the clients
> > > > I am aware of, this would be somewhere between a broken experie
On 11/27/20 11:58 PM, Eric Rescorla wrote:
To clarify, my suggestion was that https with TLS < 1.2 be treated as
insecure, not as neither secure nor insecure or any kind of "in
between".
Well, the problem is that it is secure from the perspective of the
site author
but insecure fr
