> 3 apr 2015 kl. 22:35 skrev John Bradley <[email protected]>:
>
> Thats true, most will never make it to the security considerations in the
> first place.
>
yup
> For those that do getting the message out that TLS versions below 1.2 are not
> OK and pointing them to the BCP for the other 18 pages of info on the finer
> points of cypher suite selection and other really good stuff is probably the
> way to go.
until 1.3 is out, yeah maybe
>
> I thought the draft BCP was quite good, but the key point about TLS version
> is down in 3.1.1 and many people won't get that far if I know developers.
>
maybe we need a BCP for reading BCPs that sais 'read all of it' (but then there
is that boilerplate to get through ;-))
> Pointing at the BCP is defiantly the correct thing to do. Hitting the
> highpoint in the main spec doesn't hurt and might just remind some people who
> see stuff about DTLS and Cypher Suites in the BCP and have there brains turn
> off.
yeah maybe
>
> John B.
>
>> On Apr 3, 2015, at 5:08 PM, Leif Johansson <[email protected]> wrote:
>>
>>
>>
>>
>>> 3 apr 2015 kl. 21:16 skrev John Bradley <[email protected]>:
>>>
>>> Yes it is good, though reading that BCP may scare off implementers who will
>>> just ignore it.
>>
>> Those people are gona ignore a bunch of other good advise too. Lets not
>> chase the rabbit down every hole.
>>
>>>
>>> We may still want to give the current advice of >= tls 1.2 at the point of
>>> publication see BCP xx for additional considerations.
>>>
>>> John B.
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Apr 3, 2015, at 2:57 PM, Hannes Tschofenig <[email protected]>
>>>> wrote:
>>>>
>>>> I learned something new: we can reference a BCP (instead of an RFC) and
>>>> even if the RFC gets up-dated we will still have a stable reference.
>>>> (See Stephen's response to my question below).
>>>>
>>>> This is what we should do for our documents when we reference TLS in the
>>>> future. We would reference the yet-to-become BCP (currently UTA-TLS
>>>> document) and we essentially point to the recommended usage for TLS
>>>> (version, ciphersuite, everything).
>>>>
>>>> Isn't that great?
>>>>
>>>> --------------------------------------------------------
>>>>
>>>>> On 02/04/15 19:09, Hannes Tschofenig wrote:
>>>>> Hi Stephen,
>>>>>
>>>>> if I understand it correctly, you are saying if we reference a BCP #
>>>>> (instead of the RFC) then a revised RFC will get the same BCP #. I have
>>>>> never heard about that and if that's indeed true that would be cool. I
>>>>> might also have misunderstood your idea though.
>>>>
>>>> Yep, that's it. XML2RFC makes it hard but you can do it, worst
>>>> case via an RFC editor note
>>>>
>>>> S.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> [email protected]
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
