Nicely said, Peter. To add: this is also the reason why the UTA group has been working on two sets of documents to capture profiles for the web (+email+IM) and IoT: 1) RFC 7590 and now draft-ietf-uta-tls13-iot-profile-00 2) RFC 7525 and now draft-sheffer-uta-rfc7525bis
-----Original Message----- From: Peter Gutmann <pgut...@cs.auckland.ac.nz> Sent: Thursday, September 24, 2020 12:02 PM To: Filippo Valsorda <fili...@ml.filippo.io>; Hannes Tschofenig <hannes.tschofe...@arm.com>; Carrick Bartle <cbartle...@icloud.com> Cc: tls@ietf.org Subject: Re: [TLS] The future of external PSK in TLS 1.3 Filippo Valsorda <fili...@ml.filippo.io> writes: >The average user of OpenSSL or BoringSSL or LibreSSL or Go crypto/tls >or NSS or Java doesn't do SCADA, doesn't do IoT, doesn't do smart cards How do you know that? I don't know of any data supporting that (I'd love to see it if you've got it, non-web use of TLS is the submerged part of the iceberg). Taking "SCADA/IoT/etc" to be a placeholder for M2M or more generally "non-web use", an awful lot of TLS gets done outside the web, which uses it it completely different ways than web users do. For example pretty much all of the fancy features in TLS 1.3, both in the core protocol and the endless add-ons, have no purpose or function in M2M communications. So perhaps the answer is to have two sets of requirements, one for web use, one for everything else. If you try for a one-size-fits-all approach you'll either get the currently widespread "TLS == the web" or have to include two mostly nonintersecting sets of options to cover web vs. M2M use. Peter. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
