On Mon, Jul 18, 2022, at 15:34, Rob Wilton (rwilton) wrote: > I completely get wanting the interop, but the MUST implement TLS 1.2 > still feels too strong given that AIUI, one of the reasons for TLS 1.3 > was to help mitigate some of the security issues that turned up in TLS > 1.2. It feels reasonable to me for a server deployment to decide that > they will only support TLS 1.3 because it is easier to deploy securely, > placing the requirement on the client to also support TLS 1.3 for > successful interop.
There is potentially room here for a "MUST...unless" shape to the document. I am not aware of any that do this currently, but a few years ago some websites dropped support for TLS 1.0 and 1.1 because they could be confident that browsers supported TLS 1.2. Or at least all those they cared about did. You might be able to conclude the same for TLS 1.3 today. But I don't think that you can drop TLS 1.2 today without some care and that approach is not really generally applicable. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
