On Thu, Oct 22, 2015 at 01:18:37PM -0500, Benjamin Kaduk wrote: > On 10/22/2015 01:00 PM, Salz, Rich wrote: > >> That is, the library update can be transparent to the end-user, who will > >> continue to expect normal functionality and expect everything to work. > > Should all applications suddenly start using TLS 1.3 without any changes? > > Really? Or should what *they used to do* just work as it was? If that? > > Suppose what they used to do is now considered bad practice? > > If we (okay, not "we", library implementors) require explicit > application opt-in to TLS 1.3, the adoption rate is probably not going > to be very good. So, yes, I think applications should start using TLS > 1.3 without any changes.
As a note, I have personally seen bad security resulting from application having to enable TLS versions. I expect applications to start supporting TLS 1.3 with just upgrading the crypto shared object, without even changing the application executable. Of course, features like 0-RTT won't work without application support, but nothing existing uses those anyway. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
