On 5/28/14, 12:15 PM, Trevor Freeman wrote:
I am curious why the draft treats SSL v3 (SHOULD NOT) differently to TLS v1.0 (MAY)
We received feedback about that at the London meeting and haven't incorporated it yet.
From a security perspective, they are equivalent in that they are no significant threats mitigated by TLS 1.0. TLS 1.0 is still vulnerable to the BEAST attack so it should be a SHOULD NOT like SSL v3.
Ack.
Given the vulnerability of these versions to the BEAST attack, we should set a date to flip then from SHOUND NOT to MUST NOT to send a stronger message to stop using these versions.
IMHO it's not the function of this document to be setting flag days. Peter _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
