The operators themselves are probably not in a position to either implement supported_versions or not in TLS 1.2. If an operator, for whatever reason, only has a TLS 1.2 implementation on hand, it presumably predates TLS 1.3 and thus does not implement supported_versions. If it implements supported_versions, it presumably postdates TLS 1.3 and the operator should enable the TLS 1.3 bit.
So, yes, I'd agree there's not much benefit to recommend that a TLS-1.2-only implementation add supported_versions, or that an operator look for such an implementation. Any implementation-gated effort is better spent getting to TLS 1.3. On Tue, Nov 16, 2021 at 11:14 AM Peter Saint-Andre <stpe...@mozilla.com> wrote: > On 11/16/21 8:42 AM, Hanno Böck wrote: > > On Tue, 16 Nov 2021 08:36:31 -0700 > > Peter Saint-Andre <stpe...@mozilla.com> wrote: > > > >> By our reading, it doesn't make any difference to a TLS 1.2 > >> implementation whether it sends or receives the "supported_versions" > >> extension. Corrections welcome, of course! If this is the case, we'd > >> prefer not to recommend that TLS 1.2 implementations specifically add > >> support for this extension, since upgrading to TLS 1.3 is best anyway. > > > > I have a question about this question: > > I think it's generally agreed that TLS 1.3 provides much better > > security than TLS 1.2 (that was ultimately why it's been created). > > > > Why would you even write a recommendation for what people should do > > with TLS 1.2-only implementations? (I understand this is merely > > relevant for implementations not supporting TLS 1.3 at all.) Shouldn't > > the recommendation be: "Don't. Please support TLS 1.3." ? > > Well, draft-ietf-uta-rfc7525bis, and RFC 7525 before it, is geared > toward operators. Although in the bis document we do recommend 1.3 over > 1.2 (and follow RFC 8996 in completely deprecating 1.0 and 1.1), we also > provide recommendations for how to do support 1.2 most safely before > upgrading to 1.3. See the Internet-Draft for details and if you have > feedback on our recommendations, please do post to the u...@ietf.org list. > > Peter > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
