There are many things in the TLS BCP which cannot really be construed as a "best" practice since they are largely in there for interoperability.
Use of 3DES today for instance by no stretch of the imagination can be classed as a "best" practice. Can I suggest a taxonomy of identifying practices in the BCP which are either best, acceptable or minimal in the document. By and large these would map to things that are MUST and SHOULD, or MAY or SHOULD NOT. E.g. * if I negotiate TLS 1.2, with EC, PFS, AES GCM, then that would be a best practice * If I negotiate TLS 1.1 with RSA, AES that would be acceptable * If I negotiate TLS 1.0 with RSA and 3DES would be minimal It would be really useful to be able to surface to an application where a connection was a best, acceptable or minimal practice without exposing the gory detail. Trevor
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
