David Benjamin <david...@chromium.org> writes: >TLS 1.3 will resolve this with the new cipher suite negotiation, but I agree >this makes the specification basically undeployable with TLS 1.2. This issue >also got brought up here: >https://www.ietf.org/mail-archive/web/tls/current/msg18697.html
Hmm, good point. So reading between the lines of the various comments on this issue, the feeling seems to be "ignore this RFC". That more or less answers my question, I'll leave it out of TLS-LTS apart from mentioning it as another source of DH groups. >Barring unforeseen problems, Chrome will also lose DH in the next release. Which will be yet another headache for people working with SCADA devices, who are seeing themselves locked out more and more from being able to admin their systems when browser vendors arbitrarily decide to deprecate long-established mechanisms. I know of operators who are running IE 6 in XP VMs because that's the only thing that'll still talk to some devices they use (OK, old versions of FF and Chrome will do it too if you can find them, but then they always want to update themselves to less old versions that stop working again). Couldn't Chrome include an optional legacy mode that just works with existing systems, perhaps triggered by access to a device at an RFC 1918 address? There really is, in some cases, nothing available any more that will talk to entire families of SCADA devices because browsers assume the only thing that matters is the public WWW and won't accommodate anything that isn't. (At some point someone's going to figure out they can make a lot of money by taking Firefox 3.0, rebranding it, and selling it as an embedded device management solution, because it'll talk to all the things that current browsers won't any more). Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
