On Thu, Mar 6, 2025 at 7:14 AM Salz, Rich <rs...@akamai.com> wrote:
> > * "When the API allows it, clients SHOULD specify just the minimum > version > they want." > > > I struggled with this phrasing and attempting to reconcile it with the > > broader goal of requiring TLS1.3. What is really meant here, and could > > it be more clearly stated? > > To answer the second question, yes it can be more clear. :). Does this > work? > > The initial TLS handshake allows a client to specify which > versions of the TLS protocol it supports and the server is intended to pick > the highest version that it also supports. This is known as the "TLS > version negotiation," and protocol and negotiation details are discussed in > [TLS13], Section 4.2.1 and [TLS12], Appendix E. Many TLS libraries provide > a way for applications to specify the range of versions they want, > including an open interval where only the lowest or highest version is > specified. > > If the application is using a TLS implementation that supports > this, and if it knows that the TLS implementation will use the highest > version supported, then clients SHOULD specify just the minimum version > they want. This MUST be TLS 1.3 or TLS 1.2, depending on the circumstances > described in the above paragraphs. > Ah, I missed the "open interval" aspect of this. This makes sense; thank you! > * "At this time it was published" -> > >"At the time it was published" > > Fixed in editor's copy, thanks! > > > > > > > > > >
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
