Hi David,
* While it's true there is still plenty of 1.2 in many environments, defining a new extension like flags or connection ID won't make it apply to those connections. Both sides need to deploy new code to implement that extension. That means we shouldn't be looking at the trailing end of each environment, but the state of new deployments and where those should go. In that light, I think it makes sense to focus new protocol development on 1.3. If you have to deploy new TLS software anyway, you should migrate to 1.3. This is just my experience: our partners are interested in moving to TLS 1.3. That’s great. There is still a lot of deployment based on 1.2. This deployment needs to be maintained. Companies have deployed the CID extension already and will apply software updates. Updating the code to add a feature, a bugfix and alike is one thing. Switching out the security stack altogether is not a minor thing. * Indeed it's because there is still an existing 1.2 deployment that we should be judicious with backports. Today, nearly every TLS implementation needs to implement both 1.2 and 1.3. The ClientHello is cross-version, so it is not possible for a client to say "I implement xyz extension only at 1.3". That means anyone implementing a backported extension must implement and test it in 1.2, even though it'll be virtually unused. Existing 1.2 peers don't implement it and new peers will use it at 1.3. In the IoT space, the device have constraints. They are not implementing a dual stack 1.2 / 1.3 version for Cortex M class devices (at least in almost all cases). If I have to define an extension for use with the ClientHello in DTLS 1.2 and a different one (based on flags) in DTLS 1.3 then this would not make my life any easier. Ciao Hannes On Thu, Nov 4, 2021 at 9:57 AM Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>> wrote: The term “obsolete” appears to be used incorrectly when it comes to TLS/DTLS 1.2 used in the IoT environment. It is widely used today and I expect it to be used for a while since (a) there are no security problems with it (when configured correctly), and (b) for many use cases it also offers suitable performance. There is a well-tested open source codebase available for TLS/DTLS 1.2. While I am a big fan of TLS / DTLS 1.3, I would also like to acknowledge the speed at which the market operates. From: John Mattsson <john.matts...@ericsson.com<mailto:john.matts...@ericsson.com>> Sent: Thursday, November 4, 2021 2:11 PM To: Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>>; IETF TLS <tls@ietf.org<mailto:tls@ietf.org>> Subject: Re: Flags Extension: why only for TLS 1.3? TLS 1.2 has been obsolete for over three years. Oxford dictionary defines obsolete as "no longer produced or used; out of date." NIST requires support of TLS 1.3 everywhere no later than Jan 2024, which at least in theory means no negotiation of TLS 1.2. I think IETF, TLS WG, and TLS libraries should spend their time on TLS 1.3 rather than giving the false idea it is ok to stay on TLS 1.2. John From: TLS <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>> on behalf of Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>> Date: Monday, 25 October 2021 at 19:12 To: IETF TLS <tls@ietf.org<mailto:tls@ietf.org>> Subject: [TLS] Flags Extension: why only for TLS 1.3? Hi all, why is the flags extension only defined for TLS 1.3? There is nothing in this extension that prevents us from using it also in TLS 1.2. Could we make it also available to TLS 1.2? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls