On Thu, Apr 10, 2025 at 11:59 AM Eric Rescorla <ekr@xxxxxxxx> wrote:
On Thu, Apr 10, 2025 at 11:41 AM Jared Mauch <jared@xxxxxxxxxxxxxxx> wrote:On Tue, Apr 08, 2025 at 06:05:22PM +0200, Toerless Eckert wrote:
> Dear IESG, *:
>
> We received IESG review for draft-ietf-anima-brski-prm that was asking to
> make the use of TLS 1.3 mandatory based on the expectation that draft-ietf-uta-require-tls13
> would become RFC - unless we provide sufficient justification in our (prm) draft.
>
> I would like to point out, that it is the current version of draft-ietf-uta-require-tls13
> whose core applicability reasoning is misleading:
>
> "since TLS 1.3 use is widespread, ...
> new protocols that use TLS must require and assume its existence
>
> This is not correct. Correct would be is:
>
> "since TLS 1.3 use is widespread in browser, ...
> new protocols that use browsers and TLS must require its use and assume its existence,
> protocols not using browsers must recommend its use and assume its existance
>
The internet is not all HTTP transport, I'm not sure how to
clearly get this message through the IETF.
It seems this is all that the IETF seems to think exists, hence
DoH and other things without updating the host RFC to mandate these
other behaviors.
Last I checked the packets got to/from the servers via routing
protocols that did not use TLS, nor does the routing protocol require
the privacy that TLS provides, as I raised in the security area
meetings previuosly.I'm certainly aware of this, having spent quite a bit of time workingon applications that run over UDP.
Apologies for the editing glitch. This text was supposed to respond to
"The Internet is not all HTTP transport".
-Ekr
-- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
