On Thu, Feb 19, 2015 at 1:26 AM, Brian Smith <br...@briansmith.org> wrote:
> Richard Barnes <r...@ipv.sx> wrote: > > Pete Resnick <presn...@qti.qualcomm.com> wrote: > >> Until we are able to get better community consensus on this topic and > how > >> to explain it in documents, I think (and I believe the WG agrees) that > the > >> right thing to say is, "This document isn't talking about OS" and leave > it > >> at that, which is what the document now says. > > > > It's wrong to just throw up our hands and give carte blanche just > because we > > might need to red-line a few things. At most, we should say something > like, > > "OS is a work in progress; until further notice, use this as a baseline > and > > deviate to the minimal extent possible." > > The working group agreed that unauthenticated TLS is out of scope for > the document. Saying anything other than unauthenticated TLS is out of > scope would misrepresent the working group's consensus.As others > pointed out, if and how much of this document is appropriate for > unauthenticated TLS is very unclear and deciding that would add a lot > of delay to the publication of the document. > > The working group already decided to defer much more serious and more > widely-relevant issues (like the complete lack of any recommendations > regarding ECDSA cipher suites, despite these being the most > interoperable AES-GCM cipher suites available and the best ones for > server-side performance, or the fact that the document recommends DHE > cipher suites despite clear evidence that DHE cipher suites are a > minefield) in the interests of getting the document published on a > reasonable schedule. > > IMO, unauthenticated TLS is so different from secure use of TLS that > it deserves its own document once we've learned what the *best* > *current* practices for unauthenticated TLS are, which we currently do > not know. > I'm curious how you think unauthenticated TLS is so dramatically different. I mean, WebRTC connections are all unauthenticated, and they look exactly the same on the wire as authenticated connections -- the endpoints just don't check the certs. --Richard > > Cheers, > Brian >
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
