[TLS] Re: Ketan Talaulikar's No Objection on draft-ietf-tls-tls12-frozen-07: (with COMMENT)

["Arano, Edward" <edward.arano@bofa.com>]

Dear Rich Salz
Thank you kindly for your reply. I did not know that you had authored the drafts.  Pleased to collaborate with you.  I still think the IETF should reconsider.  There are millions (im sure much more) of server OS’s in production around the world representative of many organizations (government/military  and public)  that cannot support TLS 1.3 natively.  😊

Is it reasonable to expect all organizations to upgrade all this infrastructure in a few years to a Server OS that supports TLS 1.3 when the new pqc algorithms can just be added to TLS 1.2?


Respectfully
Eddie
From: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
Sent: Thursday, June 5, 2025 2:52 PM
To: Arano, Edward <edward.arano@bofa.com>; tls@ietf.org; Paul Wouters <paul.wouters@aiven.io>
Subject: Re: [TLS] Re: Ketan Talaulikar's No Objection on draft-ietf-tls-tls12-frozen-07: (with COMMENT)

ZjQcmQRYFpfptBannerEnd
Hello Apologies  and not sure if this is the right place to ask this question;  but wondering if the IETF will reconsider adding PQC algorithms to TLS 1.2??

Yes, this is the right place to start a conversation. I expect it won’t get very far beyond strong consensus that the answer is no.  There is a related draft, https://datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-uta-require-tls13/__;!!I2XIyG2ANlwasLbx!RBC6R5rQGVN7u4Ja2ClWKbPcg4O1qAixwDIpl0kaf2599GvCokwCwGolidEO36ZzWnTdlxrrKlGWjHgl-U3UowUsojKIfRvd$> that encourages people to move to TLS 1.3.  Both of these have been through the IETF approval process and are waiting for the AD to post a public notice.  (Nudge, Paul :)

Adding new algorithms to TLS 1.2 requires installing new software, of course. For a variety of reasons, if you must install new software, the IETF view is you should install TLS 1.3.

Disclaimer: I’m the primary author of both of the drafts.

                /r$

PS: Your disclaimer – repeated twice! – is in violation of the IETF policy that list traffic can be seen by anyone. :)

----------------------------------------------------------------------
This message, and any attachment(s), is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/electronic-disclaimer. If you are not the intended recipient, please delete this message. For more information about how Bank of America protects your privacy, including specific rights that may apply, please visit the following pages: https://business.bofa.com/en-us/content/global-privacy-notices.html (which includes global privacy notices) and https://www.bankofamerica.com/security-center/privacy-overview/ (which includes US State specific privacy notices such as the http://www.bankofamerica.com/ccpa-notice)