Filippo Valsorda <fili...@ml.filippo.io> writes: >The average user of OpenSSL or BoringSSL or LibreSSL or Go crypto/tls or NSS >or Java doesn't do SCADA, doesn't do IoT, doesn't do smart cards
How do you know that? I don't know of any data supporting that (I'd love to see it if you've got it, non-web use of TLS is the submerged part of the iceberg). Taking "SCADA/IoT/etc" to be a placeholder for M2M or more generally "non-web use", an awful lot of TLS gets done outside the web, which uses it it completely different ways than web users do. For example pretty much all of the fancy features in TLS 1.3, both in the core protocol and the endless add-ons, have no purpose or function in M2M communications. So perhaps the answer is to have two sets of requirements, one for web use, one for everything else. If you try for a one-size-fits-all approach you'll either get the currently widespread "TLS == the web" or have to include two mostly nonintersecting sets of options to cover web vs. M2M use. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
