On Thursday, July 23, 2015 01:10:30 pm Eric Rescorla wrote: > On Thu, Jul 23, 2015 at 7:06 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > A suggestion - could we remove mention of anything that > > is not a MUST or SHOULD ciphersuite from the TLS1.3 document > > and then have someone write a separate draft that adds a > > column to the registry where we can mark old crap as > > deprecated? > > I'm starting to lean towards this. I don't generally think of TLS 1.3 as a > vehicle > for telling people how to configure use of TLS 1.2, and I think it might be > better > to move all that stuff out.
If we've learned one thing from the past year of high-profile vulnerabilities with names and logos, it's that TLS is not really secure if you don't take into account its weakest/oldest feature that's still possible. I don't think any responsible TLS 1.3 spec can afford to not acknowledge this. That said, if all you want to move out are things that aren't MUSTs or SHOULDs, I don't see a problem with that. (with possibly the exception of a "NOT RECOMMENDED" or two, though that's really just a synonym for "SHOULD NOT") What would that actually entail? Or, did you just mean to cut out all non-MUST/SHOULD cipher suites? I also don't see a problem with that. I just updated the list with everything. The full list can go in a separate document if we want to just focus on MUST/SHOULD support ciphers in the spec, proper. Also on the topic of cutting out hunks of text, someone should write up a DSS/DSA removal PR. There's quite a bit of text scattered throughout the spec to handle it that we don't need anymore. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
