On Dec 4, 2020, at 5:29 PM, Ackermann, Michael <mackerm...@bcbsm.com> wrote: > Regards to the 12 years vs 1-2. 12 years is probably too long for just > about anything, once it is determined to be a business need. But that is > the key first step. Then it will likely be a minimum of 1-2 years to get > the identified need in the budget and then into planning cycles and actual > project plans. For example, if you tell me to do a major conversion > right now, it is tool late at this point for me to even request that for the > 2021 budget. I could request this in 2021, for the 2022 budget. Hence > the typical minimum 1-2 years.
But isn’t this the crux of the matter? How do we get to a place where when a new version of the protocol comes out, the planning starts? Should the IETF have deprecated TLS 1.1 in 2008? That would certainly have given you more lead time! I suspect there’s a happy medium. Why do people buy stuff that’s not upgradeable? Probably because the manufacturer doesn’t give them a choice, and there’s no way to force the choice. The recent discussions about legally requiring firmware-upgradeable IoT devices (e.g. in Singapore) is definitely a step in the right direction. For medical devices and medical infrastructure, this should have been required, but as far as I know still is not. I realize that this isn’t your specific problem, but it’s the one that really worries me.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
