On 2007-05-22 07:51, Philip Guenther wrote:
On Mon, 21 May 2007, Jeffrey Hutzelman wrote:
...
It seems to me that specs should _not_ explicitly specify which TLS
version to support, and should instead refer to an STD number.
Applications don't generally specify which verisons of IP or TCP to
use, and TLS is at a similar level of abstraction -- except that the
situation is not as painful, because using a different version of IP
means you have to use completely different names, whereas using a
different version of TLS does not.
We expect application protocols that require TLS to specify a mandatory-
-to-implement ciphersuite to guarantee interoperability between clients
and servers. How is the TLS version any different? A client that only
supports TLS 1.0 will fail at handshake time if the server only supports
TLS 1.1. Therefore, if interoperability is the goal, requiring support
for a specific version is necessary.
Since as you point out, TLS has version negotiation, don't you mean
"support for at least one specific version is necessary"? And presumably
that would be a version whose security is believed to be minimally
adequate, with all earlier versions being forbidden. For example
Implementations SHOULD support TLS 1.1 or later, MUST support TLS 1.0,
MAY support SSLv3, and MUST NOT support SSLv2 or earlier.
Brian
--
NEW: Preferred email for non-IBM matters:
brian(_dot_)e(_dot_)carpenter(_at_)gmail(_dot_)com
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf