grispin
commented
2 years ago I'm not saying that we support only TLS v1.3 but we make it the mandatory version for certification so the the clients and servers negotiate the most secure connection possible. TLSv1.3 has been out as a standard for 4 years now and is included in every major browser and web platform engine.
The TLS v1.2 list of vulnerabilities is getting longer with a large portion of the ciphers in TLS v1.2 are considered weak due to known issues ( Wikipedia TLS page ) There is significant work that both clients and servers must do to ensure a TLS v1.2 compliant library and connection is actually secure. Specifying TLSv1.3 addresses those issues in the longer term as they are all included in the updated specification.
If we want to allow TLSv1.2 for a period of time for backwards compatibility, I can understand that but we should make TLSv1.3 a "MUST" for the next release so the standard moves forward with
Updates to WebApi standards to current industry standards. The current reference document has security concerns.