> On Apr 26, 2019, at 11:24 AM, Salz, Rich <rs...@akamai.com> wrote:
>
> If they haven’t already moved off TLS 1 then maybe this document will give
> the right people a push to do so.
>
> Nobody is going to arrest an MTA for non compliance.
Of course.
And as I said, I'd like to see the document move forward, I just
wanted to see whether there was any appetite for adding some
operator guidance. It's not an issue of internet policing,
rather it is a question of whether there should advice for
operators who are considering disabling the legacy protocols.
The sound-bite version is: first raise the ceiling, *then* the floor.
The advice would therefore be for everyone to first make sure that
their systems support at least TLS 1.2, and not just the now deprecated
versions. And then check whether the same holds true for their application
ecosystem and if so disable the protocols at that time.
In unauthenticated opportunistic TLS where cleartext is used when TLS
handshakes fail, removing support for TLS 1.0 can reduce security in the
short term (some messages needlessly going in cleartext). Yes, this may
be what it takes to finally get the long tail procrastinators to upgrade.
The operational question then boils down to timing: when is your application
ecosystem ready to drop the training wheels.
Anyway, it does not look like there's much interest in adding operational
considerations, which users will then perhaps learn about elsewhere if
need be. That's fine...
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
