On 6/3/16 at 2:28 AM, [email protected] (Hubert Kario) wrote:
That being said, I would prefer the solution to be a compliance
test suite that checks if servers do handle correctly future
versions, future extensions and future ciphersuites correctly.
I agree with Hubert. The big question is how you get the bug
report to the server operator.
With servers which are currently maintained, it should be
possible, although difficult in specific instances to contact
the owner. With servers which aren't being maintained, e.g.
those in imbedded devices, the problem becomes much harder.
If the client has a UI, it could explain the problem to the user
and ask if the user wants to continue with degraded security. If
so, then always use the remembered highest supported version
with that server domain name, with perhaps occasional reminders
to the user of the situation.
In any case, we should be addressing our efforts to getting bugs
fixed, not just coding around them.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345
Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos,
CA 95032
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
