I agree with David, I think “and provides excellent security as-is” should be 
removed.

John

From: David Benjamin <david...@chromium.org>
Date: Wednesday, 4 December 2024 at 18:57
To: John Mattsson <john.matts...@ericsson.com>
Cc: Salz, Rich <rs...@akamai.com>, Sean Turner <s...@sn3rd.com>, TLS List 
<tls@ietf.org>
Subject: Re: [TLS] Re: Working Group Last Call for TLS 1.2 is in Feature Freeze
Talking about providing "excellent security" also will get out-of-date and/or 
subjective once someone decides post-quantum, or any other 1.3-only 
improvement, is the bar for "excellent". I would suggest just not having the 
draft opine on such things when it doesn't need to.

We could just delete the first paragraph altogether and start the document:

> TLS 1.3 [TLS13] is in widespread use and fixes many known deficiencies with 
> TLS 1.2 [TLS12], such as encrypting more of the traffic so that it is not 
> readable by outsiders and removing most cryptographic primitives now 
> considered weak. Importantly, TLS 1.3 enjoys robust security proofs and 
> provides excellent security as-is.

On Wed, Dec 4, 2024 at 12:42 PM John Mattsson 
<john.mattsson=40ericsson....@dmarc.ietf.org<mailto:40ericsson....@dmarc.ietf.org>>
 wrote:
That would address your concern.

John

From: Salz, Rich 
<rsalz=40akamai....@dmarc.ietf.org<mailto:40akamai....@dmarc.ietf.org>>
Date: Wednesday, 4 December 2024 at 15:21
To: John Mattsson 
<john.matts...@ericsson.com<mailto:john.matts...@ericsson.com>>, Sean Turner 
<s...@sn3rd.com<mailto:s...@sn3rd.com>>, TLS List 
<tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] Re: Working Group Last Call for TLS 1.2 is in Feature Freeze
>TLS 1.3 enjoys robust
>security proofs and provides excellent security as-is.
as-is, TLS 1.3 does not provide excellent security for long-term connections.
It removes essential features such as asymmetric rekeying and reauthentication.

Would changing it to “provides excellent security for many use-cases as-is” 
address your concern?  Or “can provide excellent security”?  Or does that open 
up the case where people say “where does not it apply?”  Would it be better to 
just remove the “and provides” phrase altogether?

_______________________________________________
TLS mailing list -- tls@ietf.org<mailto:tls@ietf.org>
To unsubscribe send an email to tls-le...@ietf.org<mailto:tls-le...@ietf.org>
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to