On Thu, Jan 14, 2016 at 12:14:48AM +0000, Peter Gutmann wrote: > Salz, Rich <rs...@akamai.com> writes: > > >> TLS needs an LTS version that you can just push out and leave to its own > >> devices > > > >So don't you have that with TLS 1.1 and appropriate cipher and option > >choices? > > Based on the feedback I've had, I'm kinda tempted to do a TLS 1.2 LTS draft > that specifices just a single boolean flag, "use this known-good configuration > and not the 6.023e23 other ones and you should be good for the next decade or > so". That can then be baked into long-term systems and devices and left alone > while people get on with other things.
To actually fix the known problems with TLS 1.2, you would at minimum need a new extension, since there is currently no way to fix the broken server authentication. Then there are the other security fix extensions (at least three already). Those all would need to be impiled. And then there is the TLS 1.2 Diffie-Hellman issue... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
