I would like to point out that a lot of this discussion seems to hinge on the following argument:
On 17/07/17 13:04, Roland Dobbins wrote: > On 16 Jul 2017, at 11:14, Salz, Rich wrote: > >> I really want to hear an answer to that question from folks who say >> they need TLS 1.3 but without it. > > Being able to continue to utilize vetted, well-understood, > standards-based cryptography on intranets once regulatory bodies such > as PCI/DSS mandate TLS 1.3 or above - which will happen, at some point > in the not-too-distant future. So the only reason not to use TLS 1.2 for these use cases is that it is assumed that some regulator will in the future prohibit not using it. (I don't think TLS 1.2 is going away any time soon so it will continue to be vetted, well-understood and standards-based.) I think it is up to those regulators to do their job properly and not require TLS 1.3 for situations when it does not fullfil the requirements. Or conversely if regulators still require TLS 1.3 although it does not support the desired traffic inspection maybe they have made that decision with good reason. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
