On Wed, Nov 17, 2021, at 16:10, Ryan Sleevi wrote: > I think I would disagree with this claim. Application-layer signals are > one way to solve this problem, but they are not a necessary condition.
Sure. I was maybe imprecise in writing this up; this is a statement I agree with. I'm more concerned about the absence of any signal (or rather agreement) and how that might arise. >> Your recommendations about TLS versions and ciphersuites might be >> misleading. Yes, a consistent configuration across servers is a good thing, >> but it's not TLS configuration that matters here. > > Yes, it is though. Just as we saw issues with TLS1.3 and QUIC, or > POODLE, TLS versions (and configurations) are best thought of as > different protocols that facilitate cross-protocol attacks. I was assuming that the advice here as given. If TLS 1.2 breaks or a cipher breaks, then I guess that maybe a consistent configuration might help, but if the consistent configuration means that every node in the group is vulnerable, then nothing is gained. >> The ALPN recommendation could be strengthened. A lot. I would prefer a >> construct that used "MUST" conditioned on an "unless the protocol does not >> support it" and maybe "in which case the identities for which the server is >> used are not used for any other protocol without ALPN support" or similar >> conditions. > > See the past list discussion that raised concerns about that proposed > change, which this language was trying to address. Yeah, I don't think that a "SHOULD" is a good resolution to that discussion. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
