Salz, Rich <rs...@akamai.com> writes: >> TLS needs an LTS version that you can just push out and leave to its own >> devices > >So don't you have that with TLS 1.1 and appropriate cipher and option >choices?
That's the approach suggested previously by Peter Bowen, assemble it yourself from a huge list of extensions. The problem there is that you're after a fixed, known-good config drawn from the maybe 10 extension-RFCs you'd need to cover (from Peter's post + a few extra to cover new things), I don't want to go through all of those and count up the possible options but I'm pretty sure I'd need to resort to special notation to express the magnitude of combinations once you plug them into the nCk formula. Based on the feedback I've had, I'm kinda tempted to do a TLS 1.2 LTS draft that specifices just a single boolean flag, "use this known-good configuration and not the 6.023e23 other ones and you should be good for the next decade or so". That can then be baked into long-term systems and devices and left alone while people get on with other things. (Speaking of feedback, still got a bucketload of private email to respond to, including stuff from people I didn't know where on the list any more, turns out there's a lot more reading than writing, I'm working through it...). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
