Hi, Maybe I am missing the point, but I do not see any reasons to not explicitly recommend adoption of the latest version (i.e. TLS 1.3).
While the document deprecates old version, providing explicitly the status of the non deprecated versions seems to me in scope of the document. As such, clearly stating that TLS 1.3 or the latest version is expected seems to me better, but I am happy to hear otherwise. Removing the sentence that mentions TLS 1.2 and TLS 1.3 will coexist for a long time, does not carry exactly the same message as explicitly recommending the adoption of the latest version. I believe explicit statement will help adoption of TLS 1.3. To be clearer, I am providing the alternate text I had in mind. Of course feel free to change the wording. abstract: OLD: """TLSv1.2 has been the recommended version for IETF protocols since 2008, providing sufficient time to transition away from older versions.""" NEW: """The current recommended version for TLS is 1.3 and version 1.2 has been recommended since 2008, providing sufficient time to transition away from older versions.""" Introduction: OLD: """The expectation is that TLSv1.2 will continue to be used for many years alongside TLSv1.3.""" NEW: """ While TLSv1.2 and TLSv1.3 are likely to coexist for some time, it is strongly RECOMMENDED to consider the adoption of TLSv1.3""" OLD: """Deprecation of these versions is intended to assist developers as additional justification to no longer support older TLS versions and to migrate to a minimum of TLSv1.2. Deprecation also assists product teams with phasing out support for the older versions to reduce the attack surface and the scope of maintenance for protocols in their offerings. """ NEW: """Deprecation of these versions is intended to assist developers as additional justification to no longer support older TLS versions and to migrate to a minimum of TLSv1.2. At the time of writing this document this includes TLSv1.2 and TLSv1.3. The adoption of TLSv1.3 is strongly RECOMMENDED. If TLSv12.2 were not supported yet, adoption of TLSv1.3 is RECOMMENDED. Deprecation also assists product teams with phasing out support for the older versions to reduce the attack surface and the scope of maintenance for protocols in their offerings. """ Yours, Daniel On Fri, Sep 27, 2019 at 4:46 AM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > > > On 27/09/2019 04:50, Martin Thomson wrote: > > On Fri, Sep 27, 2019, at 10:52, Stephen Farrell wrote: > >>>> """The expectation is that TLSv1.2 will continue to be used > >>>> for many years alongside TLSv1.3.""" > >> > >> So is your proposed change to only remove that sentence? > > > > I just checked, and it seems like the only thing the document says > > along these lines, so yeah. > > Grand so. Like I said I don't think it's a biggie so I've > commented out that sentence in the GH version. [1] > > [1] > > https://github.com/tlswg/oldversions-deprecate/blob/master/draft-ietf-tls-oldversions-deprecate.txt > > BTW - for the chairs/AD - how are we doing on getting IETF LC under > way? I realise the world won't end if this isn't super-fast but it's > been 3 months since publication was requested which seems like a bit > of a while. > > Cheers, > S. > > > > > >> Personally, I'm not that fussed. Including or omitting that seems > >> not a big deal to me. If the WG are however keen on such a change > >> that's fine too. OTOH, we've already done a bunch of process-steps > >> with this process-draft so I do wonder if that change really > >> amounts to a worthwhile thing. > > > > I do. Or I wouldn't have written the email. Do you think that this > > is a valuable statement? I think that it says that the IETF lacks > > confidence in the suitability of TLS 1.3 as a replacement for TLS > > 1.2. > > > > If you want a smaller change, s/many years/some time/ > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
