IMO RFC7525 and this new draft both suffer from dubious assumptions and
make poor recommendations because of those assumptions. In particular,
there are many cases for which using an old version of TLS is suboptimal
and it shouldn't be considered as secure, but it may still be better
than deprecating old versions of TLS that might be the only ones
supported by the peer.
People do not always have the luxury of upgrading their clients and
servers to versions that support the recent TLS. Some legacy hardware
has firmware that cannot be upgraded because no upgrades are
available. Service providers do not always have the leverage to insist
that their customers upgrade, or the luxury of abandoning customers. etc.
I therefore find it difficult to make good advice of the form "don't use
TLS version x.y" that is appropriate across all applications and all
usage scenarios. Again, there's an important difference between "don't
use TLS x.y" and "don't consider TLS x.y secure".
I also think it's odd that there are recommendations like this that say
"don't support TLS x.y" but say nothing about not supporting cleartext
for protocols that still have a cleartext mode. Even SSL 1.0 is
probably better than cleartext (at least from a security perspective, if
not from a support burden perspective) as long as it's not trusted to be
secure.
So in summary, either I don't support adoption of this draft, or I
support adoption of this draft only to the extent that it can be
significantly changed.
Keith
On 4/26/20 5:35 AM, Valery Smyslov wrote:
Hi,
during the last virtual interim meeting the draft
draft-sheffer-uta-bcp195bis-00 was presented and the authors asked for its
adoption.
The general feeling in the room was in favor of the adoption, however
the authors were asked to rename it to *-rfc7525-bis.
The authors have renamed the draft and asked the chairs for its adoption.
Since our responsible AD thinks agrees that this work is within the charter
of the WG, the chairs are issuing a formal call for adoption
to confirm the results we had at the meeting.
This message starts a two weeks call for adoption of the
draft-sheffer-uta-rfc7525bis-00 draft.
The call will end up 10 May 2020. Please send your opinions to the list
before this date.
Please if possible include any reasons supporting your opinion. If you
support this adoption,
please indicate whether you are ready to review this draft if it becomes a
WG document.
Regards,
Leif & Valery.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
