You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
** Section 3.2
When TLS-only
communication is available for a certain protocol, it MUST be used
by implementations and MUST be configured by administrators.
This guidance seems a little vague but prescriptive. Is the guidance that if
there is a TLS-version or TLS support for a given protocol, that
implementations of that protocol “MUST” support it? My confusion is around the
wording that “it must be used by implementations.”
The idea is that if the protocol has a way to ensure that TLS is used (e.g., port 443 in HTTP), then it is safer to use that method than to perform dynamic upgrade. This isn't about using TLS or not using TLS, but about which method is used (if a protocol supports a TLS-only mode/port and a dynamic upgrade mode/port). We thought this would have been clear from the context of the paragraph.
Perhaps this would be clearer?
OLD
When TLS-only
communication is available for a certain protocol, it MUST be used
by implementations and MUST be configured by administrators.
NEW
When a TLS-only
communication method is available for a certain protocol, it MUST
be used by implementations and MUST be configured by
administrators, in preference to a dynamic upgrade method.
As I suggested via email, perhaps it would be clearer to say that implementations must provide the ability for administrators to set a strict local policy. I will provide a PR.
cc @rdanyliw
The text was updated successfully, but these errors were encountered: