Yaron Sheffer wrote: > Viktor is raising an important issue that I'd like to open on the list: > the BCP draft implicitly applies to opportunistic uses of TLS (meaning, > the client connects to the server without validating the server > certificate). In general, such uses are definitely in scope of the > working group. > > [...] > > So we could: > > 1. Say explicitly that opportunistic TLS is out of scope. > 2. Or say explicitly that it is in scope, and with the same requirements > as "regular" TLS. > 3. Or come up with a different set of requirements for opportunistic TLS. > > I tend towards #2, because: > > - With channel bindings, you can convert an unauthenticated TLS channel > into an authenticated one, after the fact. > - Also, because we do not want to fragment the TLS ecosystem. > - Lastly, an opportunistic deployment can eventually become > authenticated TLS, when DANE is introduced.
+1 There isn't much choice anyhow. So going for 'opportunistic' TLS rather than only allowing strict TLS (which I'd like to see deployed - but is far from doable right now) is the only real option this WG can go for. It's also the only option most other groups working on TLS or related standards will accept right now, I take it. Aaron
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
