OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: TLS MUST Misconception

I sense a lot of the pushback on “TAXII servers MUST implement TLS 1.2 and SHOULD implement future versions of TLS” is of the vein that if TLS 1.2 blows up in the future, someone will say they HAVE to use TLS 1.2 to be a TAXII 2.0 server.

I will be the pot calling the kettle black and say that is purely an academic, will never happen in the real world situation.

One of two broad classes of remediations will happen in reality.

The first class of remediation is TAXII is living and there will be future releases, which can specify alternative mandatory secure communications protocols while explicitly deprecating the use of TLS 1.2. OK, I already hear the cacophony of, “But my client won’t upgrade past TAXII 2.0.” We have existence proofs of this in the wild: how much WindowsXP is still out there? However, those with WindowsXP know they are SOL when it comes to security, and they made a choice to roll the dice (versus blow up their nuclear plant because no one as run regression on the system with a modern OS - a Gordian Knot problem. As Shimon Peres said, "If a problem has no solution, it may not be a problem, but a fact - not to be solved, but to be coped with over time.”

The second class of remediation is since the proposal for the specification is to say “… SHOULD implement future versions of TLS” a one-page errata saying “don’t do TLS 1.2” is sufficient. No need to spend 18 months agonizing about opening the entire specification to fix it. That’s what we did with HTTP to get rid of SSL.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]