This is a situation where there is a clear alternative: use IPsec. IPsec is ideal for the problem space you are in. TLS is actually really not ideal. You are trying to cram a round peg into a square hole.
On Tue, Aug 21, 2018 at 12:00 PM, Fries, Steffen <steffen.fr...@siemens.com> wrote: > > > > > Ø If there would be support for integrity ciphers in TLS 1.3 it would > enable the straight forward switch from TLS 1.2 also in these environments > by keeping existing monitoring options. > > > > Why do you want to move to TLS 1.3? Why isn’t your existing solution good > enough? > > [stf] Currently it is sufficient to use TLS 1.2- For certain use cases the > utilized components have a rather long lifetime. One assumption is that TLS > 1.3 will exist longer that TLS 1.2 and that certain software tools (also > browsers) may not support TLS 1.2 in the future (I know there is currently > not intention for a deprecation of 1.2, but if a component is in the field > for 20 years, it may become more likely). Having the option to also support > TLS 1.3 on such devices now, may ensure that there are accessible by > standard software also in the more distant future. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
