Dear IESG, *:
We received IESG review for draft-ietf-anima-brski-prm that was asking to
make the use of TLS 1.3 mandatory based on the expectation that
draft-ietf-uta-require-tls13
would become RFC - unless we provide sufficient justification in our (prm)
draft.
I would like to point out, that it is the current version of
draft-ietf-uta-require-tls13
whose core applicability reasoning is misleading:
"since TLS 1.3 use is widespread, ...
new protocols that use TLS must require and assume its existence
This is not correct. Correct would be is:
"since TLS 1.3 use is widespread in browser, ...
new protocols that use browsers and TLS must require its use and assume its
existence,
protocols not using browsers must recommend its use and assume its existance
Recommending, but not requiring the use of TLS 1.3 is unfortunately necessary
for
quite a while for the much larger space of IOT equipment and protocols written
for non-browser enviroments where IOT equipment is important to be supported.
Such IOT equipment often comes with SDK that can not be upgraded for long
periods of
time, sometimes as long as 10 years or longer, and/or solutions where upgrade
of SDK
(including OS) would require very expensive re-certification such as FIPS 140
or
required regulatory requirements.
If you think this is not appropriate, then please stop flying planes, because
planes are one example of systems in which basic systems are not possible to
rewrite
from scratch because they can not for various, including financial reasons be
re-qualified at such a base level.
I hope other readers of this email worrying about being able to apply IETF
protocol standards to IOT environment can chime in on this concerns.
Short of that, the above text is suggested re-write of the core applicability
point of the UTA draft. There may be other text to update.
Cheers
Toerless
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
