Deprecating Secure Sockets Layer Version 3.0
RFC 7568
Yes
No Objection
Note: This ballot was opened for revision 02 and is now closed.
Alvaro Retana No Objection
(Barry Leiba; former steering group member) Yes
The abstract says (as it should) that this updates all versions of TLS... yet the metadata only updates 1.2. For most situations I'd think that appropriate (no need to update the ones that are obsoleted), but in this case the deployment of earlier versions is sufficiently widespread (and, after all, you do have them as normative references) that I think we should add 2246 and 4346 to the "updates" list. Note, though, that this is not a DISCUSS, so I'll leave it to y'all to decide what's best. I think prohibiting-rc4 doesn't need to be a normative reference; I'd make it informative. I think the same is true for RFC 4492. -- Section 3 -- Pretty short litany, here, really. I guess it's not the whole megillah. Jus' sayin'.
(Ben Campbell; former steering group member) Yes
(Brian Haberman; former steering group member) Yes
(Joel Jaeggli; former steering group member) Yes
(Kathleen Moriarty; former steering group member) Yes
(Martin Stiemerling; former steering group member) Yes
(Stephen Farrell; former steering group member) Yes
(Alia Atlas; former steering group member) No Objection
(Deborah Brungard; former steering group member) No Objection
(Jari Arkko; former steering group member) No Objection
(Spencer Dawkins; former steering group member) No Objection
Thank you for writing this. Even the transport dorks know it matters. I wish you had used the word "die" in the draft name more than three times, but you're the experts :-) I'm not parsing this text the way I think you want me to: The predecessor of SSLv3, SSL version 2 [RFC6101], is no longer considered secure [RFC6176]. SSLv3 now follows. I'm struggling with "is no longer considered secure" in the present tense, describing an action taken several years ago. Is the point that negotiating SSLv2 was prohibited in 2011 because SSLv2 was no longer considered secure, and negotiating SSLv3 is now being prohibited in the same way, for the reasons listed in this document? If so, saying something like that might be clearer ...
(Terry Manderson; former steering group member) No Objection