On Dec 2, 2020, at 11:22 AM, Bill Frantz <[email protected]> wrote: > One I think I can address are heart pacemakers. These are imbedded in the > patients chests. Upgrading them requires surgery. However, they have a > limited lifespan due to their batteries running down, I think we're talking > about 10 years or so, so there is a time where upgrade is practical.
This is a perfect example of reductio ad absurdum. Not that it’s a wrong example—for this use case, I think continued use of TLS 1.0 might be a requirement, if in fact there are pacemakers that use it. However, this is a situation where a subject matter expert skilled in the art should be designing a specific approach to the problem. It is not a case where no action should be taken—quite the opposite. It is quite likely that in this situation, operational practices could be undertaken that would limit the attack surface significantly. The point is that you can’t argue with physics. If lives depend on winning that argument, you need to stop arguing and find a different approach to protecting those lives. If peoples’ personal privacy or financial privacy depends on them, perhaps this is a slightly less serious situation, but it’s still quite important. An enterprise that fails to plan for addressing these problems should be held liable for the damage that results from that failure.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
