On Thu, Oct 10, 2019, at 00:04, Eric Rescorla wrote: > draft-ietf-rtcweb-security arch doesn't precisely encourage you to > implement DTLS 1.0; there's no normative language at all (even in the > non-2119 sense). It makes s factual statement about the history of the > document and about the impact of implementing only DTLS 1.2 and leaves > it up to the implementor what to do with that statement. I agree that > the fact that it bothers to mention it might be read as implying that > people should do DTLS 1.0, but that's not actually in the text. Indeed, > I could imagine this document including both this text *and* a MUST NOT > implement DTLS 1.0 (that's actually how one has to interpret the union > of draft-ietf-rtcweb-security-arch and > draft-ietf-tls-oldversions-deprecate), with the understanding that the > point of the "might encounter interoperability issues" is to document > the impact of the MUST NOT requirement.
This is, I think, the best interpretation of the current situation. At best, you make the same inference you always do: disabling DTLS 1.0 right away comes with some interoperability risks. Just to add some data on this point: browsers are looking to disable DTLS 1.0 at around the same time, but our data about DTLS 1.0 usage isn't as good as for TLS 1.0, so this is less of a firm commitment. For instance, this (https://mzl.la/31255vp) is a much higher proportion of the overall, but it is also quite noisy. Either way, I expect this to go away at the same time or soon after. We're a little more comfortable being a more aggressive with WebRTC. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
