On Tue, 10 Nov 2020 20:40:57 +0200 Yaron Sheffer <[email protected]> wrote:
> I think marking the “oldversions” draft as “obsoletes RFC 7507 > (SCSV)” is not great from an ecosystem point of view. People will > interpret it as “no need to implement SCSV in new code, no need to > expose it as a configuration option in existing code”. And we know > that some admins will continue to allow downgrade to TLS 1.0/1.1 no > matter what we tell them. Is this true? To clarify: We're not talking about people supporting TLS 1.0/1.1 (of which there are obviously still many), we're talking about clients doing out-of-protocol downgrade dances where they will attempt to connect via TLS 1.0/1.1 if TLS 1.2 connections fail. That's the only scenario where SCSV is needed. AFAIK the only clients that ever did these out of protocol downgrades were browsers and they all disabled this behavior in the meantime. I would assume it's very likely that SCSV serves no useful purpose today and hasn't done so for years. -- Hanno Böck https://hboeck.de/ _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
