Adding some data to my previous mail:
As of Jan. 2014, 65% of the top 1M Web servers did not speak TLS 1.1 or
1.2 [1]. So while we should move implementations to TLS 1.2 (as we do in
this draft), it is probably too early to mandate against the fallback to
TLS 1.0.
Thanks,
Yaron
[1] https://jve.linuxwall.info/blog/index.php?post/TLS_Survey
On 07/06/2014 10:09 PM, Yaron Sheffer wrote:
Hi Trevor, thanks for your review. Please see my comments in line.
On 06/30/2014 09:11 PM, Trevor Freeman wrote:
General Comments.
[...]
Section 3.2 still treats SSL 3.0 differently to TLS 1.0. Why is it ok to
fall back to TLS 1.0 but not SSL 3.0 if both offer the same security?
This is a good question. I believe the answer is, because much of the
server population still only supports TLS 1.0, and if we recommend
otherwise, the recommendation will be ignored for (justified)
interoperability reasons. But I may be wrong about the prevalence of
such servers.
[...]
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
