On Fri, Jul 8, 2022 at 7:19 AM Cullen Jennings via Datatracker < nore...@ietf.org> wrote:
> > I don't think BCP is the appropriate status for this. I think it should be > PS. > It explicitly says that is not trying to change existent advice in > existing RFC > and theses will need other RFC to "modernize" them. I note that > www.google.com, > www.apple.com, www.mozialla.org all offer TLS 1.0 and 1.1 when I checked > from > Vancouver on July 8. Some of these sites don't require TLS at all (Google Search doesn't), so I think supporting older TLS versions makes sense in that case. I think a lot of them choose to answer every request for public data over any TLS version or unencrypted connections. As time goes on, more big public sites redirect all "http" requests to "https", but still do not care which version the client is using. After all, they were answering over HTTP before. > I see no evidence of any > discussion of how that will work out for things that use HTTP but are not > browsers. > There just aren't that many implementations on the client side. Not only do you have to implement all of the HTTP versions and TLS, but you have to maintain all of the PKI stuff as well. Obviously, people do it, but they are not the ones that need to read this document. If the TLS library is not one also used by the OS and a browser (NSS, SecureTransport, etc), it's probably OpenSSL. I don't think this is an oversight in the document. thanks, Rob
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
