Thank you for your feedback in this review. Responses inline as to how I propose it is addressed:
On Sat, Apr 13, 2019 at 12:16 AM Martin Thomson <m...@lowentropy.net> wrote: > Section 1.1 doesn't say *how* those listed documents are updated. Might > pay to include a few works on how. > Thank you, that was helpful feedback. I changed the introduction text as follows: OLD: This document updates these RFCs that normatively reference TLSv1.0 or TLSv1.1 or DTLS1.0 and have not been obsoleted. NEW: This document updates the following RFCs that normatively reference TLSv1.0 or TLSv1.1 or DTLS1.0. The update is to obsolete usage of these older versions. Fallback to these versions are prohibited through this update. Section 2 can be cut down a lot. The quote from another document is longer > than the rest of the text. In many ways, saying that the IETF is moving > last is not a great thing to memorialize in RFC, as much as it is useful in > an Internet-Draft or in argumentation in support of publication of the doc. > A bunch has been cut out already, but I propose also cutting out the following text to address your specific point (well taken): 1st paragraph and last 2. REMOVE: Industry has actively followed guidance provided by NIST and the PCI Council to deprecate TLSv1.0 and TLSv1.1 by June 30, 2018. TLSv1.2 should remain a minimum baseline for TLS support at this time. The Canadian government treasury board have also mandated that these old versions of TLS not be used. Various companies and web sites have announced plans to deprecate these old versions of TLS. The title of Section 3 could be a bit clearer. > Proposed: SHA-1 Usage Problematic in TLSv1.0 and TLSv1.1 If you have a more terse suggestion, please post. I agree this should be more clear. > > It might pay to explain what RFC 7525 is in Section 6. Why does that > document warrant special attention over the 70-odd other ones. > Good point, how about the following text: PROPOSED: RFC7525 is BCP195, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", is the mpost recent best practice document for implementing TLS and was based off of TLSv1.2. At the time of publication, TLSv1.0 and TLSv1.1 had not yet been deprecated. As such, this document is called out specifically to update text implementing the deprecation recommendations of this document. > Otherwise, publish this. > Thank you! I'll continue through the rest of the messages, but may have a delay when tending to other responsibilities. I am putting the proposals into a new version to upload to the git repository. Best regards, Kathleen > > > On Sat, Apr 13, 2019, at 09:28, Christopher Wood wrote: > > This is the working group last call for the "Deprecating TLSv1.0 and > > TLSv1.1” draft available at: > > > > > https://datatracker.ietf.org/doc/draft-ietf-tls-oldversions-deprecate/ > > > > Please review the document and send your comments to the list by April > 26, 2019. > > > > Thanks, > > Chris, Joe, and Sean > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Best regards, Kathleen
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls