(Not speaking as UTA chair) On Apr 8, 2025, at 12:05 PM, Toerless Eckert <t...@cs.fau.de> wrote: > Recommending, but not requiring the use of TLS 1.3 is unfortunately necessary > for > quite a while for the much larger space of IOT equipment and protocols written > for non-browser enviroments where IOT equipment is important to be supported. > Such IOT equipment often comes with SDK that can not be upgraded for long > periods of > time, sometimes as long as 10 years or longer, and/or solutions where upgrade > of SDK > (including OS) would require very expensive re-certification such as FIPS 140 > or > required regulatory requirements.
i.e. these systems can be upgraded with new protocols, but not with updates to TLS? That seems unfortunate. > If you think this is not appropriate, then please stop flying planes, because > planes are one example of systems in which basic systems are not possible to > rewrite > from scratch because they can not for various, including financial reasons be > re-qualified at such a base level. I have personal knowledge of aviation systems running TLS 1.0 with RC4 and DES. So yes, these are real issues. It would be very nice to be able to say "too bad it's 2025, upgrade". However, there are financial / business implications. > Short of that, the above text is suggested re-write of the core applicability > point of the UTA draft. There may be other text to update. RFC 8446 is 7 years old. If we don't mandate the use of TLS 1.3 for new protocols now, when will we be able to mandate it? I will point to the above usage of TLS 1.0 to answer that question: "never". That doesn't seem acceptable for me, either. One reason to mandate TLS 1.3 is the recognition that a lot of implementations have no qualms about ignoring the "MUST" provisions of RFCs. If we published draft-ietf-uta-require-tls13 as-is, then I would fully expect legacy products to ignore it, and to use TLS 1.0 with RC4/DES for new protocols. Perhaps a different question is "Do we want to avoid mandating TLS 1.3 for everyone *else* in the world, simply because one use-case refuses to upgrade?" My answer to that would be "no". The benefit gained everywhere else by mandating TLS 1.3 likely outweighs the minor problems of one use-case who chooses to ignore that mandate. Alan DeKok. _______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
