At Sat, 19 May 2007 20:34:06 -0700,
Tim Bray wrote:
On 5/18/07, Robert Sayre <sayrer(_at_)gmail(_dot_)com> wrote:
I think the substituted text is inadequate, because it is not clear
which TLS version implementors MUST support. As I understand it, the
fact that it is "tricky", implying there may be trade-offs, is not
sufficient to avoid specifying a single, mandatory-to-implement TLS
version.
Well Rob, I think the community at large and the IESG in particular
would welcome suggestions on what to do with this one. In fact, we
know what's going to happen: implementors will use the default TLS
library for whatever platform they're on, and this will do the job,
most times. However, I think that we have better-than-rough consensus
that the specification landscape is a mess, making normative
references a bitch, and that this will probably bite nearly
everything in the Apps area from here on in.
I hope someone with the necessary expertise will take this bull by the
horns. -Tim
I agree that these specs should explicitly specify which TLS version
to support. As a practical matter, this is either 1.0 or 1.1, since
1.2 is not yet finished. Unfortunately, which one to require isn't
really something that can be decided on technical grounds: the
protocols are very slightly different and (at least in theory)
backward compatible. TLS 1.1 is slightly more secure and TLS 1.0 is
quite a bit more widely deployed.
On balance, I think this probably turns into a MUST for 1.0 and a
SHOULD for 1.1, but I could certainly see this argued another way.
-Ekr
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf