Salz, Rich <rs...@akamai.com> writes: >Peter has forgotten more about long-term embedded applications than the rest >of us have experience. I’ll leave it to him to say why it’s important.
I was making a more general point about not assuming that the only thing that matters is TLS 1.3 vs. TLS 1.2, and that that's all that needs to be accommodated. Because of the TLS family A vs. family B protocol fork, there will be family A around more or less forever. For example just a few days ago I was part of a long conference call with a major global user who was looking at a minimum 15-year (but in practice I expect more like 20-30 year) support plan for an upcoming rollout of family A TLS. So just because TLS 1.3 exists doesn't mean all work on, and accommodation of, earlier versions should stop. In particular that's why I wrote the TLS-LTS doc, because that explains how to apply family A in the safest manner possible for the foreseeable future. In the specific case of supported_versions, there's no reason why the same thing can't be used to deal with e.g. TLS 1.0 -> TLS 1.2 version intolerance, which is still a thing. That's one thing that SSH did right (alongside a lot of stuff that TLS does much better), you can fingerprint a server via its ID string and work around problems when you connect without needing to change the code on the server you're connecting to. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls