> * "When the API allows it, clients SHOULD specify just the minimum version
they want."
> I struggled with this phrasing and attempting to reconcile it with the
> broader goal of requiring TLS1.3. What is really meant here, and could
> it be more clearly stated?
To answer the second question, yes it can be more clear. :). Does this work?
The initial TLS handshake allows a client to specify which versions of
the TLS protocol it supports and the server is intended to pick the highest
version that it also supports. This is known as the "TLS version negotiation,"
and protocol and negotiation details are discussed in [TLS13], Section 4.2.1
and [TLS12], Appendix E. Many TLS libraries provide a way for applications to
specify the range of versions they want, including an open interval where only
the lowest or highest version is specified.
If the application is using a TLS implementation that supports this,
and if it knows that the TLS implementation will use the highest version
supported, then clients SHOULD specify just the minimum version they want. This
MUST be TLS 1.3 or TLS 1.2, depending on the circumstances described in the
above paragraphs.
> * "At this time it was published" ->
>"At the time it was published"
Fixed in editor's copy, thanks!
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
