I am curious why the draft treats SSL v3 (SHOULD NOT) differently to TLS v1.0 (MAY)
>From a security perspective, they are equivalent in that they are no >significant threats mitigated by TLS 1.0. TLS 1.0 is still vulnerable to the BEAST attack so it should be a SHOULD NOT like SSL v3. Given the vulnerability of these versions to the BEAST attack, we should set a date to flip then from SHOUND NOT to MUST NOT to send a stronger message to stop using these versions. Trevor
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
