Hi Toerless,
At 09:05 AM 08-04-2025, Toerless Eckert wrote:
I would like to point out, that it is the current version of
draft-ietf-uta-require-tls13
whose core applicability reasoning is misleading:
"since TLS 1.3 use is widespread, ...
new protocols that use TLS must require and assume its existence
This is not correct. Correct would be is:
"since TLS 1.3 use is widespread in browser, ...
new protocols that use browsers and TLS must require its use and
assume its existence,
protocols not using browsers must recommend its use and assume
its existance
Recommending, but not requiring the use of TLS 1.3 is unfortunately
necessary for
quite a while for the much larger space of IOT equipment and protocols written
for non-browser enviroments where IOT equipment is important to be supported.
Such IOT equipment often comes with SDK that can not be upgraded for
long periods of
time, sometimes as long as 10 years or longer, and/or solutions
where upgrade of SDK
(including OS) would require very expensive re-certification such as
FIPS 140 or
required regulatory requirements.
There is a table at http://r.elandsys.com/r/12206 depicting the
distribution of SSL/TLS protocols by country. TLS v1.3 usages ranges
from low to high depending on the person's vantage point.
I didn't looked into software development kit lifespan. At a guess,
I'd say that it could be ten years as some things are not easily
upgraded. One of the U.S. FIPS 140-2 certification I found is valid
until September 2026. The software lifespan might be different if
regulatory requirements is a concern.
If you think this is not appropriate, then please stop flying planes, because
planes are one example of systems in which basic systems are not
possible to rewrite
from scratch because they can not for various, including financial reasons be
re-qualified at such a base level.
:-)
I hope other readers of this email worrying about being able to apply IETF
protocol standards to IOT environment can chime in on this concerns.
Short of that, the above text is suggested re-write of the core applicability
point of the UTA draft. There may be other text to update.
I am not sure whether that draft is applicable here as there is
another draft for the Internet of Things. If that draft was
applicable, I read it as meaning that:
(a) A new protocol has TLS v1.3 is the default setting.
(b) A new protocol may specify TLS v1.2 as a non-default setting.
That's a bit confusing to me. There is some text in RFC 8446,
Section 4.2.1, which defines a "supported_versions" extension. That
text offers a better view of how the TLS might work.
The draft states that it discusses post-quantum cryptography and then
goes on to say that it is only possible to get that in TLS v1.3. It
might an effective call to action for a non-technical audience.
Regards,
S. Moonesamy
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
