Good day! On Sun, Aug 19, 2018 at 3:01 AM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: > 1. The bit you quote above is incomplete
Yep, but the rest of the paragraph just outlines *recommendations* (or, even better, 'encouragements') while the draft states that "PCI Council [is] deprecating TLSv1.0 and TLSv1.1 by June 30, 2018". In the PCI world, *deprecation* is commonly thought to be a *requirement*, not a recommendation. It is *not recommended* to use TLSv1.1 (and TLSv1.2) already just by virtue of fact that a more up-to-date spec version exists. My point here is that this wording is not, strictly speaking, correct -- so far, as a matter of fact. (In fact, PCI DSS even still allows usage of SSLv3 under certain circumstances -- e.g. POS/POI, -- but said circumstances are strict enough for us to conveniently omit mentioning those). > 2. Use of TLSv1.1 seems to be almost non-existent. See the figures > in the -01 draft for some detail [..] Maybe, but this is irrelevant to the concern I've raised. If you want PCI SSC to deprecate TLSv1.1 just because enterprise networks are not using it, the right way to do it is to share the data with the SSC along with the research methodology and let them decide. By the way, at least one issue with the research data referred to in draft-diediedie-01 which I'm aware of is that the researchers were hunting for open 443/tcp port only, while the enterprises have a practice to move deprecated services those enterprises somehow cannot get rid of to different ports, like, 4443, 4433, 8443 and so on. To make it absolutely clear, I'm not criticizing the methodology now, however, I just want to raise a concern that if PCI SSC somehow decided to deprecate v1.0 (far ahead of IETF) but still keep v1.1 then, *maybe*, they had at some point in time a strong reason to do so. It's entirely fine to ignore their preferences and let PCI SSC 'catch up' without quoting themselves as a reference, or, vice versa, it's okay to quote the SSC while sticking to their actual suggestions. Just in case, I'm not in any way against the draft-diediedie. I support it, which is why I've voted for the WG adoption before posting this to the mailing list. I'm just a nerd who wants the document to be consistent for that matter, and that's it. -- Töma _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
