2015/10/03 0:24、Salz, Rich <rs...@akamai.com> のメッセージ:
>
>> 1) We know CRIME threat, but it can not be risk for everyone.
>> e.g., CVSS v2 Base Score: 2.6 (LOW)
>
> CVSS isn't always appropriate; CVSS2 called Heartbleed a 5; CVS v3 called it
> 7.5
We know it, but one of indicators.
How can you say the dangerous or risk instead of it?
My point is, CRIME is risk for every case? even when we have option in tls1.3,
in case that default is off.
>
>> Which one is safer, "tls1.2" v.s. "tls1.3 with comp/decomp" ?
>
> They are equivalent. If you use AES-GCM and ECDHE, and you don't need 0RTT,
> then there is no compelling reason to use TLS 1.3.
If so, some people can skip tls1.3.
;; takamixhi saito
c2xhYWlidHNvcw
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
