On Fri, Jul 15, 2022 at 10:30:55AM -0700, Rob Sayre wrote:
> On Fri, Jul 8, 2022 at 7:19 AM Cullen Jennings via Datatracker <
> nore...@ietf.org> wrote:
> 
> 
> >  I see no evidence of any
> > discussion of how that will work out for things that use HTTP but are not
> > browsers.
> >
> 
> There just aren't that many implementations on the client side. Not only do
> you have to implement all of the HTTP versions and TLS, but you have to
> maintain all of the PKI stuff as well. Obviously, people do it, but they
> are not the ones that need to read this document.
> 
> If the TLS library is not one also used by the OS and a browser (NSS,
> SecureTransport, etc), it's probably OpenSSL. I don't think this is an
> oversight in the document.

I think we need to be really careful with what we're considering as the
relevant population of clients when making statements like this, and what
metric is used to count/weight them.  OpenSSL, for example, is terrible for
embedded/IoT systems -- it's just not designed to produce a small code
size.  Mbed TLS (Apache licensed, just like current OpenSSL) is much more
appropriate in those environments, which also happen to be ones where the
scale/volume of number of devices can become quite relevant quite quickly.
So what do you actually think we are/should be measuring?

-Ben

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta

Reply via email to