> On Apr 17, 2018, at 2:15 PM, Richard Levitte <levi...@openssl.org> wrote:
>
> Depends on what "the best thing you know to do" is. In my mind,
> simply refusing to run as before because the new kid in town didn't
> like the environment (for example a cert that's perfectly valid for
> TLSv1.2 but invalid for TLSv1.3) it ended up in isn't "the best thing
> you know to do".
>
> But I get you, your idea of "the best thing you know to do" is to run
> the newest protocol unconditionally unless the user / application says
> otherwise, regardless of if it's at all possible given the environment
> (like said cert).
If there were a non-negligible use of certificates that work with TLS 1.2,
and that (implementation bugs aside) can't work with TLS 1.3, I'd support
your position strongly. As it stands, I think you're right in principle,
but not yet in practice. If we find no show-stopper issues, we should
allow TLS 1.3 to happen.
I'm far more concerned about lingering middle-box issues, than about some
edge-case certificates...
--
Viktor.
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
