Speaking as non-chair (and my first post to the list). There were a number of comments in Brisbane about managing default TLS versions. While the comments made different proposals, I don't think that they were substantially different. I'll try to clarify my understanding here.
I'll divide the comments into two areas: 1) standards New standards MUST require TLS 1.3 or higher. New standards MAY be compatible with TLS 1.2. 2) implementations Implementations of new standards MUST default to using TLS 1.3 or higher. These implementations SHOULD have a way to configure the minimum allowable TLS version to use. If this setting is configurable, any default example MUST use TLS 1.3. If the TLS versions are not set in any configuration, then the implementation MUST use TLS 1.3 or higher. There are a number of ways to support this functionality. One common way is to allow the administrator to set "minimum allowed TLS version" and "maximum allowed TLS version". For examples, see: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_min_proto_version.html https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_3/raddb/mods-available/eap#L497 Apache only supports setting the minimum TLS version: https://httpd.apache.org/docs/2.4/mod/mod_tls.html wpa_supplicant has explicit flags to enable / disable each TLS version: https://w1.fi/cgit/hostap/tree/wpa_supplicant/wpa_supplicant.conf?h=hostap_2_10#n1358 Of the different methods, I think the wpa_supplicant method is the least preferred. Alan DeKok. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
