Hi, Peter Saint-Andre - &yet wrote: >> -- Section 3.3 -- >> >> Implementations and deployments SHOULD disable TLS-level compression >> ([RFC5246], Section 6.2.2). > > Because it's not yet clear to me that all application protocols using > TLS or DTLS are subject to these compression-based attacks (at least, I > have not yet seen analysis of all the many such protocols), personally I > would hesitate at this time to say that all protocols MUST disable > TLS-level compression. >
At this point it does not hurt to have it a MUST either, right? Are there any serious implications for implementors or deployed applications if we have TLS-compression as `MUST be disabled` in the document? >> -- Section 4.2.1 -- >> >> Servers SHOULD prefer this cipher suite over weaker cipher suites >> whenever it is proposed, even if it is not the first proposal. > > I think that one would be fine as MUST (notice, however, that it applies > to a cipher suite that itself is a SHOULD). > +1. Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
