SGTM, except your use of "#" confused my mental Markdown parser :)
On Fri, Feb 20, 2015 at 3:41 PM, Peter Saint-Andre - &yet <pe...@andyet.net> wrote: > On 2/20/15 1:22 PM, Pete Resnick wrote: > >> On 2/20/15 1:43 PM, Richard Barnes wrote: >> >>> >>> On Fri, Feb 20, 2015 at 2:12 PM, Stephen Farrell >>> <stephen.farr...@cs.tcd.ie <mailto:stephen.farr...@cs.tcd.ie>> wrote: >>> >>> >>> The sense of the UTA Working Group was to complete >>>> work on this document about best practices for TLS in >>>> general, and to >>>> initiate work on a separate document about opportunistic TLS. >>>> >>> >>> No, I don't believe we've decided that UTA will be the place where >>> we develop a BCP on OS. [...] >>> >>> I'd really really hope we disentangle that discussion from this >>> draft though, so please replace the last sentence with: >>> >>> "The sense of the UTA Working Group was to complete >>> work on this document about best practices for TLS in general, and to >>> for work on a separate BCP document about opportunistic security >>> to be done later." >>> >>> >>> >>> FWIW: >>> - That text is not mine; it has been in since -07. >>> - I would personally be A-OK with UTA working on opportunistic TLS, >>> especially in the sense of providing advice on how to interop with old >>> stuff in ways most likely to result in TLS usage. >>> - It's probably not a great idea to say that in this document >>> >>> How about: >>> "The sense of the UTA Working Group was to complete work on this >>> document about best practices for TLS in general, and to leave >>> recommendations about opportunistic TLS for future work." >>> >> >> Or we could drop mention of the WG entirely: >> >> "This document specifies best practices for TLS in general. A separate >> document with recommendations for the use of TLS with opportunistic >> security is to be completed in the future." >> > > Sure. > > So (with some hopefully slight edits)... > > ### > > 5.2. Opportunistic Security > > There are several important scenarios in which the use of TLS is > optional, i.e., the client decides dynamically ("opportunistically") > whether to use TLS with a particular server or to connect in the > clear. This practice, often called "opportunistic security", is > described at length in [RFC7435] and is often motivated by a desire > for backward compatibility with legacy deployments. > > In these scenarios, some of the recommendations in this document > might be too strict, since adhering to them could cause fallback to > cleartext, a worse outcome than using TLS with an outdated protocol > version or cipher suite. > > This document specifies best practices for TLS in general. A > separate document containing recommendations for the use of TLS with > opportunistic security is to be completed in the future. > > ### > > >
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
