On Mon, Oct 25, 2021 at 05:13:07PM +0000, Hannes Tschofenig wrote: > Hi Ilari, > > > "If an item is not marked as 'Recommended', it does not necessarily > > mean that it is flawed; rather, it indicates that the item either > > has not been through the IETF consensus process, has limited > > applicability, or is intended only for specific use cases." > > I think the flags draft should state that (if that's how it should be > interpreted). > > FWIW I looked through the current list of extensions and their Y/N > assignment for "recommended". The assignment appears random. This is > not surprising that extensions are, by their nature, related to > specific use cases and therefore have a certain applicability only.
Yeah, the assignments are pretty strange, here are some recommended ones I think are odd: - trusted_ca_keys: Wasn't that supposed to be deprecated? - client_certificate_url: No replacment in TLS 1.3, security issues. - user_mapping: No replacement in TLS 1.3, who uses this? - ec_point_formats: No replacement in TLS 1.3, who uses this? - heartbeat: The most infamous extension of them all. - token_binding: No replacement in TLS 1.3. - status_request_v2: Who uses this (at least TLS 1.3 has a replacement)? - session_ticket: Nasty security issues (destroys forward secrecy of any connection it is used on). - transparency_info: Similar to signed_certificate_timestamp, which is not recommended. On the reverse side, not recommended extensions, there does not seem to be any really strange ones (I presume some are due to procedural matters, and will be changed to recommended later). I dinged extensions for not working and not having replacment in TLS 1.3, as one would think that all the common stuff would have replacements. Then on stuff other than extensions, there are some other odd ones: - ciphers TLS_DHE_RSA_WITH_*: Negotiation is flawed. - ciphers TLS_DHE_PSK_WITH_*: Who uses this? - exporter label "client finished": Actually reserved. - exporter label "server finished": Actually reserved. - exporter label "master secret": Actually reserved. - exporter label "key expansion": Actually reserved. - exporter labels: Why is there recommended column at all? -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
