-----Original Message----- From: Peter Saint-Andre [mailto:[email protected]] Sent: Wednesday, May 28, 2014 11:48 AM To: Trevor Freeman; [email protected] Subject: Re: [Uta] TLS BCP SSL v3 == TLS 1.0
On 5/28/14, 12:15 PM, Trevor Freeman wrote: > I am curious why the draft treats SSL v3 (SHOULD NOT) differently to > TLS > v1.0 (MAY) We received feedback about that at the London meeting and haven't incorporated it yet. > From a security perspective, they are equivalent in that they are no > significant threats mitigated by TLS 1.0. > > TLS 1.0 is still vulnerable to the BEAST attack so it should be a > SHOULD NOT like SSL v3. Ack. > Given the vulnerability of these versions to the BEAST attack, we > should set a date to flip then from SHOUND NOT to MUST NOT to send a > stronger message to stop using these versions. IMHO it's not the function of this document to be setting flag days. [TF] The document is supposed to be defining best practice. That seems hard to reconcile with unbounded continued use of a protocol with a known vulnerability. If you don't want to set a date, why not flip the SHOULD to MUST? That may mean some are not compliant with best practice but is clarifies the position on use of protocols with vulnerabilities. Peter _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
