Valery,
you are talking about constrained IoT devices, i am talking about the broader
set of "embedded" (most not very constrained) devices, such as used in wide
range
of industries, typically with extremely long technology adoption and
certification cycles.
Cheers
Toerless
On Wed, Apr 09, 2025 at 09:15:17AM +0300, Valery Smyslov wrote:
> (speaking not as UTA chair)
>
> Hi Toerless,
>
> if we are talking about IOT devices, then I've been told a lot of times by
> more knowledgeable than I
> people that IOT devices mostly rely on DTLS and not on TLS. And DTLS is
> explicitly
> mentioned in the draft as being out of scope.
>
> Regards,
> Valery.
>
>
> > Dear IESG, *:
> >
> > We received IESG review for draft-ietf-anima-brski-prm that was asking to
> make
> > the use of TLS 1.3 mandatory based on the expectation that
> draft-ietf-uta-require-
> > tls13 would become RFC - unless we provide sufficient justification in our
> (prm)
> > draft.
> >
> > I would like to point out, that it is the current version of
> draft-ietf-uta-require-tls13
> > whose core applicability reasoning is misleading:
> >
> > "since TLS 1.3 use is widespread, ...
> > new protocols that use TLS must require and assume its existence
> >
> > This is not correct. Correct would be is:
> >
> > "since TLS 1.3 use is widespread in browser, ...
> > new protocols that use browsers and TLS must require its use and assume
> its
> > existence,
> > protocols not using browsers must recommend its use and assume its
> existance
> >
> > Recommending, but not requiring the use of TLS 1.3 is unfortunately
> necessary for
> > quite a while for the much larger space of IOT equipment and protocols
> written for
> > non-browser enviroments where IOT equipment is important to be supported.
> > Such IOT equipment often comes with SDK that can not be upgraded for long
> > periods of time, sometimes as long as 10 years or longer, and/or solutions
> where
> > upgrade of SDK (including OS) would require very expensive
> re-certification such
> > as FIPS 140 or required regulatory requirements.
> >
> > If you think this is not appropriate, then please stop flying planes,
> because planes
> > are one example of systems in which basic systems are not possible to
> rewrite
> > from scratch because they can not for various, including financial reasons
> be re-
> > qualified at such a base level.
> >
> > I hope other readers of this email worrying about being able to apply IETF
> protocol
> > standards to IOT environment can chime in on this concerns.
> >
> > Short of that, the above text is suggested re-write of the core
> applicability point of
> > the UTA draft. There may be other text to update.
> >
> > Cheers
> > Toerless
>
--
---
t...@cs.fau.de
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
