While it's true there is still plenty of 1.2 in many environments, defining a new extension like flags or connection ID won't make it apply to those connections. Both sides need to deploy new code to implement that extension. That means we shouldn't be looking at the trailing end of each environment, but the state of new deployments and where those should go. In that light, I think it makes sense to focus new protocol development on 1.3. If you have to deploy new TLS software anyway, you should migrate to 1.3.
Indeed it's *because* there is still an existing 1.2 deployment that we should be judicious with backports. Today, nearly every TLS implementation needs to implement both 1.2 and 1.3. The ClientHello is cross-version, so it is not possible for a client to say "I implement xyz extension only at 1.3". That means anyone implementing a backported extension *must* implement and test it in 1.2, even though it'll be virtually unused. Existing 1.2 peers don't implement it and new peers will use it at 1.3. On Thu, Nov 4, 2021 at 9:57 AM Hannes Tschofenig <hannes.tschofe...@arm.com> wrote: > The term “obsolete” appears to be used incorrectly when it comes to > TLS/DTLS 1.2 used in the IoT environment. It is widely used today and I > expect it to be used for a while since (a) there are no security problems > with it (when configured correctly), and (b) for many use cases it also > offers suitable performance. There is a well-tested open source codebase > available for TLS/DTLS 1.2. While I am a big fan of TLS / DTLS 1.3, I would > also like to acknowledge the speed at which the market operates. > > > > *From:* John Mattsson <john.matts...@ericsson.com> > *Sent:* Thursday, November 4, 2021 2:11 PM > *To:* Hannes Tschofenig <hannes.tschofe...@arm.com>; IETF TLS < > tls@ietf.org> > *Subject:* Re: Flags Extension: why only for TLS 1.3? > > > > TLS 1.2 has been obsolete for over three years. Oxford dictionary defines > obsolete as "no longer produced or used; out of date." NIST requires > support of TLS 1.3 everywhere no later than Jan 2024, which at least in > theory means no negotiation of TLS 1.2. > > > > I think IETF, TLS WG, and TLS libraries should spend their time on TLS > 1.3 rather than giving the false idea it is ok to stay on TLS 1.2. > > > > John > > > > *From: *TLS <tls-boun...@ietf.org> on behalf of Hannes Tschofenig < > hannes.tschofe...@arm.com> > *Date: *Monday, 25 October 2021 at 19:12 > *To: *IETF TLS <tls@ietf.org> > *Subject: *[TLS] Flags Extension: why only for TLS 1.3? > > Hi all, > > > > why is the flags extension only defined for TLS 1.3? > > > > There is nothing in this extension that prevents us from using it also in > TLS 1.2. > > > > Could we make it also available to TLS 1.2? > > > > Ciao > > Hannes > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
