Thats true, most will never make it to the security considerations in the first place.
For those that do getting the message out that TLS versions below 1.2 are not OK and pointing them to the BCP for the other 18 pages of info on the finer points of cypher suite selection and other really good stuff is probably the way to go. I thought the draft BCP was quite good, but the key point about TLS version is down in 3.1.1 and many people won't get that far if I know developers. Pointing at the BCP is defiantly the correct thing to do. Hitting the highpoint in the main spec doesn't hurt and might just remind some people who see stuff about DTLS and Cypher Suites in the BCP and have there brains turn off. John B. > On Apr 3, 2015, at 5:08 PM, Leif Johansson <[email protected]> wrote: > > > > >> 3 apr 2015 kl. 21:16 skrev John Bradley <[email protected]>: >> >> Yes it is good, though reading that BCP may scare off implementers who will >> just ignore it. > > Those people are gona ignore a bunch of other good advise too. Lets not chase > the rabbit down every hole. > >> >> We may still want to give the current advice of >= tls 1.2 at the point of >> publication see BCP xx for additional considerations. >> >> John B. >> >> >> Sent from my iPhone >> >>> On Apr 3, 2015, at 2:57 PM, Hannes Tschofenig <[email protected]> >>> wrote: >>> >>> I learned something new: we can reference a BCP (instead of an RFC) and >>> even if the RFC gets up-dated we will still have a stable reference. >>> (See Stephen's response to my question below). >>> >>> This is what we should do for our documents when we reference TLS in the >>> future. We would reference the yet-to-become BCP (currently UTA-TLS >>> document) and we essentially point to the recommended usage for TLS >>> (version, ciphersuite, everything). >>> >>> Isn't that great? >>> >>> -------------------------------------------------------- >>> >>>> On 02/04/15 19:09, Hannes Tschofenig wrote: >>>> Hi Stephen, >>>> >>>> if I understand it correctly, you are saying if we reference a BCP # >>>> (instead of the RFC) then a revised RFC will get the same BCP #. I have >>>> never heard about that and if that's indeed true that would be cool. I >>>> might also have misunderstood your idea though. >>> >>> Yep, that's it. XML2RFC makes it hard but you can do it, worst >>> case via an RFC editor note >>> >>> S. >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
