On Tue, Mar 12, 2024 at 3:45 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > > On 12/03/2024 22:06, Eric Rescorla wrote: > > I don't think we should make statements about regulatory requirements > > in this kind of specification. That's not our lane. > > I'd weakly disagree about making statements such as suggested, > while agreeing with "not out lane." I don't think the text I > suggested crosses that line, but it's fine if others disagree > of course. > > I'd also be ok if we only stated that emitting these logs in > production systems means not deploying state of the art security > and letting the rest of the world connect the dots. > Lots of things don't constitute not deploying state of the art security, including, arguable, not using PQ algorithms. I think we should be very clear about the technical consequences of implementing this specification in the Security Considerations (which I think they are) but that either this statement or the one you previously proposed is not helpful. -Ekr > > Cheers, > S. > > PS: to be clear, I'm not objecting to progression if my > suggestion isn't adopted. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls