RE: [Bug 4836] RFC4346 obsoletes RFC2246

Personally, I would be reluctant to override the current advice on SSL/TLS contained in the WS-I Basic Security Profile 1.0 [1].  It recommends the use of TLS 1.0 for Web services.

/paulc

[1] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com





> -----Original Message-----
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Philippe Le Hegaret
> Sent: July 5, 2007 5:28 PM
> To: public-ws-policy
> Subject: [Bug 4836] RFC4346 obsoletes RFC2246
>
>
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=4836
>
> I noticed that RFC4346 (TLS 1.1) obsoletes RFC2246 (TLS 1.0) and, since
> both the framework and attachment specifications are referencing RFC
> 2246, i wonder if the Group considered using RFC 4346.
>
> It's not clear to me how TLS 1.1 is deployed. The RFC was published in
> April 2006. There is a ongoing work on TLS 1.2 [1]. I didn't find
> evidences that Java or .Net supports 1.1.
>
> Digging around, I found a discussion on this subject at [2], which seems
> to indicate that this is still an open question.
>
> The WS-Policy specifications only mentions "such as [...], SSL/TLS [IETF
> RFC 2246],".
>
> My proposal is to either:
> 1. leave the specification as is, since it's only mentioned as a
> possibility and isn't a normative reference.
> 2. change the reference from "2246" to "2246 or its successors".
>
> If the Group comes up with a third solution, I'll probably be happy as
> well.
>
> Philippe
>
> [1] http://www.ietf.org/html.charters/tls-charter.html
> [2] http://osdir.com/ml/ietf.apps-discuss/2007-01/msg00040.html
>

Received on Friday, 6 July 2007 02:06:39 UTC