>From my experience, it is possible to update the firmware on many modern >constrained IoT devices, including the TLS / DTLS stack, today. Of course, >there are a lot of devices out there where updating the firmware involves >physical access by some technician.
However, there are a few other challenges. First, such a change must be carefully planned since the space on these devices is quite limited. Second, IoT devices often follow "system" standards and for interoperability purposes you cannot just replace one version of the security protocol with another one. In some IoT standards, you can "easily" switch from one TLS version to the next without impacting the interoperability of the entire system. This is not necessarily the case with all IoT specifications. There are often other subtle changes that have an impact on the transition. For example, if you have an IoT deployment that uses EAP-TLS based on RFC 5216 and you switch to RFC 9190 then you are suddenly facing the requirement to use OCSP stapling in TLS, if you strictly follow RFC 9190. In general, you have to look at the whole system rather than just at a single IoT device alone. There may also be certification processes to consider. Then, there is the incentive issue. Just because there is a new version of TLS available does not immediately trigger companies to update their devices, particularly when there is not even a security problem with 1.2 (at least if you follow the recommendations from the UTA group). Finally, implementations with the desired feature set also have to be available. Depending on the stack you are using, this might be the case, but it is not guaranteed. Implementing embedded security protocols takes more time than writing a Javascript app... Ciao Hannes -----Original Message----- From: TLS <tls-boun...@ietf.org> On Behalf Of Loganaden Velvindron Sent: Dienstag, 12. Dezember 2023 06:17 To: Peter Gutmann <pgut...@cs.auckland.ac.nz> Cc: tls@ietf.org Subject: Re: [TLS] Adoption call for 'TLS 1.2 Feature Freeze' Peter, I'm curious. Are those embedded devices or IoT type of appliances where the firmware has a TLS library that will never be updated ? On Tue, 12 Dec 2023 at 05:30, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Rob Sayre <say...@gmail.com> writes: > > >>Given that TLS 1.2 will be around for quite some time > >Not clear. > > Absolutely clear. I work with stuff with 20-30 year deployment and > life cycles. I'm fairly certain TLS 1.2 will still be around when the > WebTLS world is debating the merits of TLS 1.64 vs. TLS 1.65. > > (This is also why the TLS-LTS draft was created, BTW). > > Peter. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
