Richard Barnes <r...@ipv.sx> wrote: > Pete Resnick <presn...@qti.qualcomm.com> wrote: >> Until we are able to get better community consensus on this topic and how >> to explain it in documents, I think (and I believe the WG agrees) that the >> right thing to say is, "This document isn't talking about OS" and leave it >> at that, which is what the document now says. > > It's wrong to just throw up our hands and give carte blanche just because we > might need to red-line a few things. At most, we should say something like, > "OS is a work in progress; until further notice, use this as a baseline and > deviate to the minimal extent possible."
The working group agreed that unauthenticated TLS is out of scope for the document. Saying anything other than unauthenticated TLS is out of scope would misrepresent the working group's consensus.As others pointed out, if and how much of this document is appropriate for unauthenticated TLS is very unclear and deciding that would add a lot of delay to the publication of the document. The working group already decided to defer much more serious and more widely-relevant issues (like the complete lack of any recommendations regarding ECDSA cipher suites, despite these being the most interoperable AES-GCM cipher suites available and the best ones for server-side performance, or the fact that the document recommends DHE cipher suites despite clear evidence that DHE cipher suites are a minefield) in the interests of getting the document published on a reasonable schedule. IMO, unauthenticated TLS is so different from secure use of TLS that it deserves its own document once we've learned what the *best* *current* practices for unauthenticated TLS are, which we currently do not know. Cheers, Brian _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
