I do not follow.

>> This is a bogus argument.
> I'm pretty sure there's a Monty Python skit about this, so I won't belabor 
> the point.

I'll avoid asking how many sparrows are needed ;-)

>> First, staying with an old protocol version often leads to locking in 
>> unmaintained versions of old software.
> Right, that's one of the stated goals of this work: to be able to continue to 
> use software that the operator can't upgrade.

No, the enterprise wants to use maintained server implementations.

>> Second, using TLS1.2 does not technically address the issue.  If the client 
>> were to exclusively offer DHE-based ciphersuites, then the visibility 
>> techniques that have been used in the past are thwarted.
> The client in this case is under the control of the operator, so this is a 
> non-issue.

In some cases, the client in the load balancer is under the control of the 
enterprise.  In other cases, the client is in the customer browser, and opt-in 
is very significant.


TLS mailing list

Reply via email to