Hi, We are now revising RFC 7525 for the new world, and in general we are following this draft. So, MUST NOT negotiate TLS 1.0 and 1.1. This brought up the question of SCSV, which was new when RFC 7525 was published but has since been widely implemented/deployed.
I think marking the “oldversions” draft as “obsoletes RFC 7507 (SCSV)” is not great from an ecosystem point of view. People will interpret it as “no need to implement SCSV in new code, no need to expose it as a configuration option in existing code”. And we know that some admins will continue to allow downgrade to TLS 1.0/1.1 no matter what we tell them. IMO we should protect these people from downgrade attacks, even if we disagree with their policy. So I would call for a more nuanced wording re: SCSV, something like (paraphrasing EKR): In the world where the only valid values of TLS are 1.2 and 1.3+, the TLS 1.3 fallback mechanism should render the SCSV unnecessary. However for existing client and server implementations that still include support for earlier TLS versions, SCSV should continue to be supported. Thanks, Yaron _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls