On Sun, Aug 2, 2015 at 1:16 PM, John-Mark Gurney <[email protected]> wrote:
> > o Implement just the TCP-TLS negotiation option in the operating > system kernel with an interface to tell the application that TCP- > TLS has been negotiated and therefore that the application must > negotiate TLS. > > So, if TCP-ENO is adopted, and ths TLS-use-TCP draft is adopted, they > just have to do TCP-ENO, and no other work, and they've fully > implemented the TCPINC WG recommendations, but we have made very little > headway to encrypting the internet traffic. You've made this point several times and I have to say I don't really understand it. Vendors need not ship TCPINC now and won't have to regardless of what we standardize. So, yes, they could do as you suggest, but if their intention is not to provide automatic encryption to their users, it would be far easier to simply not implement TCPINC at all, rather than just implement an in-kernel flag. With that said, I think that the mode you mention above *is* of value to users because it allows out of band negotiation of TLS, so I would hope that vendors would implement both a version that upgraded all applications and one that just allowed applications to upgrade themselves [0]. -Ekr [0] It's worth noting that yet another way to implement TCP-use-TLS is with the split indicated here but with the TLS implementation in userspace via libc modifications shims. This seems like a valid implementation technique and I'm not sure what the objection would be to a vendor doing this.
_______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
