Yes, it’s not recommended, but why even make something that offers nothing other than a security degradation an option? This doesn’t do anything other than shave off a negligible overhead for a clear and obvious degradation in security, by reintroducing classes of attacks we had ruled out.
I mean, if some other regulatory body came and asked for a Triple-DES mode, surely we wouldn’t adopt it just because it won’t be recommended? Why even make it an option to begin with if all it does is harm the cryptographic security of TLS? Nadim Kobeissi Symbolic Software • https://symbolic.software > On 20 Feb 2026, at 5:18 PM, Salz, Rich <[email protected]> wrote: > > The pattern: “no, it’s doesn’t quite throw the baby out with the bathwater, > but it makes it easier to.” > > How does it do that? Are you saying that people will ignore the Recommended > column? Is that a reasonable belief? Why ignore just that one and not, say, > the assigned codepoint? Do you think they are ignoring the Recommended column > for things like DES and RC4? Or do you have another reason for saying that, > or is it just verbal tricks? > > All we can do is try to document our meaning and intent clearly. >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
