Scott Ford wrote: >But from a application point of view, if the application is using AT/TLS >and there are Pagent protection policies for PORTS/IP addresses and the >application is using encryption, where's the risk ???
There's plenty of risk when running an unsupported, unpatched release. Even leaving that important point aside, you're assuming a fact not in evidence. z/OS 1.4 didn't have AT-TLS. AT-TLS debuted in z/OS 1.7: https://www.ibm.com/common/ssi/rep_ca/7/897/ENUS205-167/ENUS205-167.PDF Notably, z/OS 1.4 was Generally Available on September 27, 2002. TLS 1.1 was not even defined until April, 2006 (RFC 4346), never mind TLS 1.2 (RFC 5246 in August, 2008, and RFC 6176 in March, 2011). FYI, the PCI Council requires an absolute minimum of TLS 1.1 (if configured according to NIST Special Publication 800-52 Revision 1) to comply with their Data Security Standard (DSS) Version 3.1. A lot has happened in the past decade and a half, never mind what's soon to happen. The "soon to happen" is also important. You simply cannot defend yourself if you're cut off from vendor supplies of security patches or if you don't follow a reasonable preventive maintenance program. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN