Hi,
We are now revising RFC 7525 for the new world, and in general we are following
this draft. So, MUST NOT negotiate TLS 1.0 and 1.1. This brought up the
question of SCSV, which was new when RFC 7525 was published but has since been
widely implemented/deployed.
I think marking the “oldversions” draft as “obsoletes RFC 7507 (SCSV)” is not
great from an ecosystem point of view. People will interpret it as “no need to
implement SCSV in new code, no need to expose it as a configuration option in
existing code”. And we know that some admins will continue to allow downgrade
to TLS 1.0/1.1 no matter what we tell them. IMO we should protect these people
from downgrade attacks, even if we disagree with their policy.
So I would call for a more nuanced wording re: SCSV, something like
(paraphrasing EKR):
In the world where the only valid values of TLS are 1.2 and 1.3+, the TLS 1.3
fallback mechanism should render the SCSV unnecessary. However for existing
client and server implementations that still include support for earlier TLS
versions, SCSV should continue to be supported.
Thanks,
Yaron
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
