On Thu, Apr 10, 2025 at 03:07:53PM -0400, Alan DeKok wrote:
> (trimming things a bit)
>
> > On Apr 10, 2025, at 2:41 PM, Jared Mauch <ja...@puck.nether.net> wrote:
> >
> > On Tue, Apr 08, 2025 at 11:23:44AM -0700, Eric Rescorla wrote:
> >> As Alan observes, we are talking about levies on new protocols, not
> >> existing protocols. These should be deployed with TLS 1.3 for the reasons
> >> indicated in this draft.
> >
> > I'm sorry, that just isn't the case no matter how much you wish
> > it would be.
>
> Please then answer the following questions:
>
> * do we want one already non-compliant use-case to set the bar for security?
Please clarify, do you mean security or privacy?
Those are quite different but my expeirence in the past decade
of the IETF that the privacy people have a hard time seeing the forest
through the toothpick.
> * do we want to avoid mandating TLS 1.3 for every other use-case?
There's other ways to do data integrity management than just TLS
without all the weight and hot mess of the algo issues that arise from
using TLS.
> * when will we be able to mandate TLS 1.3?
>
>
> The argument for mandating TLS 1.3 explicitly acknowledges the "I don't
> want TLS 1.3" use-case. It also gives reasons why the mandate is believed to
> be acceptable for that use-case.
Or that we can't manage TLS in these devices. Safari can't
remember the certificates that I already have said "yes i know these are
self signed".
As an architecture when we pin a version number of something
like this or require non-web based things to use TLS.
- Jared
--
Jared Mauch | pgp key available via finger from ja...@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
