> On Apr 26, 2019, at 11:24 AM, Salz, Rich <rs...@akamai.com> wrote: > > If they haven’t already moved off TLS 1 then maybe this document will give > the right people a push to do so. > > Nobody is going to arrest an MTA for non compliance.
Of course. And as I said, I'd like to see the document move forward, I just wanted to see whether there was any appetite for adding some operator guidance. It's not an issue of internet policing, rather it is a question of whether there should advice for operators who are considering disabling the legacy protocols. The sound-bite version is: first raise the ceiling, *then* the floor. The advice would therefore be for everyone to first make sure that their systems support at least TLS 1.2, and not just the now deprecated versions. And then check whether the same holds true for their application ecosystem and if so disable the protocols at that time. In unauthenticated opportunistic TLS where cleartext is used when TLS handshakes fail, removing support for TLS 1.0 can reduce security in the short term (some messages needlessly going in cleartext). Yes, this may be what it takes to finally get the long tail procrastinators to upgrade. The operational question then boils down to timing: when is your application ecosystem ready to drop the training wheels. Anyway, it does not look like there's much interest in adding operational considerations, which users will then perhaps learn about elsewhere if need be. That's fine... -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls