S, On Wed, Apr 09, 2025 at 10:23:28AM -0700, S Moonesamy wrote: > There is a table at http://r.elandsys.com/r/12206 depicting the distribution > of SSL/TLS protocols by country. TLS v1.3 usages ranges from low to high > depending on the person's vantage point. seems to be from https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report, As the report explains, that data was gathered by probing web-pages on the internet. If the data looks for TLS 1.3 high enough for supporting the ask of the draft, then that report might be a good reference to add to the draft. However, because this data was collected by probng web servers on the Internet, this picture provides no insight whatsoever into the type of host stacks that i am worried about. Instead it could easily be seen as reconfirming what i am worried about: The only data that can and is easily collected is for Internet web services use of TLS 1.3 - see picture. > I didn't looked into software development kit lifespan. At a guess, I'd say > that it could be ten years as some things are not easily upgraded. One of > the U.S. FIPS 140-2 certification I found is valid until September 2026. > The software lifespan might be different if regulatory requirements is a > concern. > > > If you think this is not appropriate, then please stop flying planes, because > > planes are one example of systems in which basic systems are not > > possible to rewrite > > from scratch because they can not for various, including financial reasons be > > re-qualified at such a base level. > > :-) > > > I hope other readers of this email worrying about being able to apply IETF > > protocol standards to IOT environment can chime in on this concerns. > > > > Short of that, the above text is suggested re-write of the core applicability > > point of the UTA draft. There may be other text to update. > > I am not sure whether that draft is applicable here as there is another > draft for the Internet of Things. If that draft was applicable, I read it > as meaning that: Which draft ? > (a) A new protocol has TLS v1.3 is the default setting. > > (b) A new protocol may specify TLS v1.2 as a non-default setting. > > That's a bit confusing to me. There is some text in RFC 8446, Section > 4.2.1, which defines a "supported_versions" extension. That text offers a > better view of how the TLS might work. Yes, i find those two (a), (b) requirement confusing too, i did suggest different wording for draft-ietf-uta-require-tls13 in my first email. > The draft states that it discusses post-quantum cryptography and then goes > on to say that it is only possible to get that in TLS v1.3. It might an > effective call to action for a non-technical audience. Not sure what you mean with that. Rephrase please ? Or else: Discussing PQ seems like a red herring in the context of this draft because just because an application protocol specifies some TLS 1.2 or TLS 1.3 requirement does not mean it will include any additional PQ crypto. Cheers Toerless -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
