Implementing NTS options

Sat Feb 2 09:44:31 UTC 2019

>>*tls1.2* Allow TLS1.2 connection.
>>*tls1.3* Allow TLS1.3 connection.
> Second, why would you ever want one of these allow bits off?  I want to hear
> a good story here not just to convince me that they're worth the complexity
> but so it can go in the documentation. 

>From the draft:

Implementations MUST NOT negotiate TLS versions earlier than 1.2,
SHOULD negotiate TLS 1.3 [RFC8446] or later when possible, and MAY
refuse to negotiate any TLS version which has been superseded by a
later supported version.

--------

I assume the default would be no for TLS 1.2 and yes for TLS 1.3

Should we be specifying min version rather than allowing various versions?

Do we need a way to test 1.2?  Maybe we can wait until we find a box that 
doesn't support 1.3 yet.

----------

> Again. The barrier to entry for these is higher because they would need a
> non-trivial grammar modification

Does the grammar support quoted strings?

-- 
These are my opinions.  I hate spam.