Re: [Bug 4836] RFC4346 obsoletes RFC2246 from Christopher B Ferris on 2007-07-10 (public-ws-policy@w3.org from July 2007)

From: Christopher B Ferris <chrisfer@us.ibm.com>
Date: Tue, 10 Jul 2007 12:55:16 -0400
To: Mark Little <mark.little@jboss.com>
Cc: Paul Cotton <Paul.Cotton@microsoft.com>, Philippe Le Hegaret <plh@w3.org>, public-ws-policy <public-ws-policy@w3.org>, public-ws-policy-request@w3.org
Message-ID: <OFE2F24DC1.29932B59-ON85257314.005C4447-85257314.005CCAC7@us.ibm.com>

+1

Christopher Ferris
STSM, Software Group Standards Strategy
email: chrisfer@us.ibm.com
blog: http://www.ibm.com/developerworks/blogs/page/chrisferris
phone: +1 508 234 2986

public-ws-policy-request@w3.org wrote on 07/08/2007 06:42:39 AM:

> +1
> 
> On 6 Jul 2007, at 03:06, Paul Cotton wrote:
> 
> Personally, I would be reluctant to override the current advice on 
> SSL/TLS contained in the WS-I Basic Security Profile 1.0 [1].  It 
> recommends the use of TLS 1.0 for Web services.
> 
> /paulc
> 
> [1] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
> 
> Paul Cotton, Microsoft Canada
> 17 Eleanor Drive, Ottawa, Ontario K2E 6A3
> Tel: (613) 225-5445 Fax: (425) 936-7329
> mailto:Paul.Cotton@microsoft.com
> 
> -----Original Message-----
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Philippe Le Hegaret
> Sent: July 5, 2007 5:28 PM
> To: public-ws-policy
> Subject: [Bug 4836] RFC4346 obsoletes RFC2246
> 
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=4836
> 
> I noticed that RFC4346 (TLS 1.1) obsoletes RFC2246 (TLS 1.0) and, since
> both the framework and attachment specifications are referencing RFC
> 2246, i wonder if the Group considered using RFC 4346.
> 
> It's not clear to me how TLS 1.1 is deployed. The RFC was published in
> April 2006. There is a ongoing work on TLS 1.2 [1]. I didn't find
> evidences that Java or .Net supports 1.1.
> 
> Digging around, I found a discussion on this subject at [2], which seems
> to indicate that this is still an open question.
> 
> The WS-Policy specifications only mentions "such as [...], SSL/TLS [IETF
> RFC 2246],".
> 
> My proposal is to either:
> 1. leave the specification as is, since it's only mentioned as a
> possibility and isn't a normative reference.
> 2. change the reference from "2246" to "2246 or its successors".
> 
> If the Group comes up with a third solution, I'll probably be happy as
> well.
> 
> Philippe
> 
> [1] http://www.ietf.org/html.charters/tls-charter.html
> [2] http://osdir.com/ml/ietf.apps-discuss/2007-01/msg00040.html
> 
> ----
> 
> Mark Little
> mark.little@jboss.com
> 
> JBoss, a Division of Red Hat
> Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod 
> Street, Windsor, Berkshire, 
> SI4 1TE, United Kingdom. 
> Registered in UK and Wales under Company Registration No. 3798903 
> Directors: Michael Cunningham (USA), Charlie Peters (USA) and David 
> Owens (Ireland)

Received on Tuesday, 10 July 2007 16:55:31 UTC