> 1) We know CRIME threat, but it can not be risk for everyone. > e.g., CVSS v2 Base Score: 2.6 (LOW)
CVSS isn't always appropriate; CVSS2 called Heartbleed a 5; CVS v3 called it 7.5 > Which one is safer, "tls1.2" v.s. "tls1.3 with comp/decomp" ? They are equivalent. If you use AES-GCM and ECDHE, and you don't need 0RTT, then there is no compelling reason to use TLS 1.3. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
