Nikos Mavrogiannopoulos <nmav(_at_)redhat(_dot_)com>:
[...] However, if you think that
this has to be on standards track, please provide at least some
argumentation for it.
draft-ietf-tls-downgrade-scsv-03 mandates server-side behavior (in response
to certain Client Hello messages) that requires wide deployment to achieve
the desired effect, hence Standards Track seems appropriate and
Informational status would be insufficient.
I don't agree with your assessment that "Making this a proposed standard,
would imply that the flawed technique is into standards track."
draft-ietf-tls-downgrade-scsv-03
does not say that clients should implement a downgrade dance, it merely
recommends sending a certain signal *if* they choose to do so.
Also note that the point that some clients may use downgraded retries for
compatibility with buggy servers *is* already acknowledged by Standards
Track RFCs, e.g. RFC 5246 Appendix E.1: "Note: some server implementations
are known to implement version negotiation incorrectly. [...]
Interoperability with such buggy servers is a complex topic beyond the
scope of this document, and may require multiple connection attempts by the
client."
Bodo