Hi Mike, On Tue, Oct 13, 2020 at 03:59:27PM -0400, Michael D'Errico wrote: > > Saying that it's your preference without saying why is likely > > to have little effect, yes. (We endeavor to make decisions > > based on technical merit, not voting, after all.) Why do you > > want this? > > Hi, > > I think the advice should be: "If your code currently > only supports TLS 1.0, please spend a week or two > adding support for both TLS 1.1 and the downgrade > protection SCSV." > > Since the vast majority of the 1.0 and 1.1 specifications > is the same, someone who takes the advice has a > good chance of succeeding. > > (You could then also say which other extensions are > important and why, roughly in order of importance.)
I don't see much to object to in that advice, but the precondition is rather limiting. Have you considered writing a draft that covers it (including fleshing out the important extensions)? > Recommending that people wholesale abandon > their legacy system and implement TLS (1.2 and) > 1.3 is asking too much, and will largely be ignored > by the people who would be able to add 1.1 to their > 1.0 code. It may be true that such recommendations will largely be ignored by people who have 1.0-only implementations (recall that the IETF does not have an enforcement arm!), but draft-ietf-tls-oldversions-deprecate aims to be a Best Current Practice, and there are not preconditions to that Best. The Best thing you can do for TLS involves TLS 1.3, and TLS 1.2 is probably okay, too. I don't see anyone arguing that the Best Curent Practice for TLS, in general, involves TLS 1.0 or 1.1, at this point. -Ben _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
