Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Joseph Salowey]

Thanks to all those that participated in the list discussion, it was a very
popular topic.  On the list and in the meeting, TLS 1.3 had more support
than any other option so we believe there is rough consensus to leave the
name of the protocol as TLS 1.3.

Thanks,

J&S

On Sat, Dec 3, 2016 at 10:15 PM, Mohan Sekar 
wrote:

> +1 on Tony comment
>
>
>
> - Keep this version TLS 1.3
>
> - For the next version of TLS, drop the 1.x and call it TLS 4
>
>
>
> Mohan Sekar
>
>
>
> *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Tony Arcieri
> *Sent:* Saturday, December 3, 2016 9:04 AM
> *To:* Sean Turner 
> *Cc:*  
> *Subject:* Re: [TLS] Confirming consensus: TLS1.3->TLS*
>
>
>
> On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner  wrote:
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.
>
>
>
> I guess we're at the deadline, but I have a compromise I think makes sense:
>
>
>
> - Keep this version TLS 1.3
>
> - For the next version of TLS, drop the 1.x and call it TLS 4
>
>
>
> --
>
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Mohan Sekar]

+1 on Tony comment

- Keep this version TLS 1.3
- For the next version of TLS, drop the 1.x and call it TLS 4

Mohan Sekar

From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Tony Arcieri
Sent: Saturday, December 3, 2016 9:04 AM
To: Sean Turner 
Cc:  
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner 
mailto:s...@sn3rd.com>> wrote:
The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4

by 2 December 2016.

I guess we're at the deadline, but I have a compromise I think makes sense:

- Keep this version TLS 1.3
- For the next version of TLS, drop the 1.x and call it TLS 4

--
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Tony Arcieri  writes:

>There is now a huge body of work which calls the protocol "TLS 1.3"

When you say "huge body of work" you're referring to an IETF draft with "no
formal status, subject to change or removal at any time; therefore they should
not be cited or quoted in any formal document" (in other words a no-op), and
some research reports/papers and blog posts, pretty much invisible to anyone
outside the WG and a few people who follow it in the crypto community.  To
quote Douglas Adams, "this must be some new use of the word huge with which I
wasn't previously familiar".

So I'll maintain my point that the only real argument that's been put forward
for 1.3 is inertia, "we've always done it this way and I don't want to
change".  And that's why I support 4, or 2017, or whatever: The WG can pretend
it's meant to be called TLS, everyone else can keep calling it SSL like they
always have, but no matter what, the numbers will work out.  No matter how you
choose to label the alphabetical part, either 4 or 2017 is obviously the
newer, better version number.

Peter.

  
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Karthik Bhargavan]

>
> The wire format is one thing, but there is work that has been done at a
> much higher level referencing "TLS 1.3", e.g. TRON work:
>
> http://prosecco.gforge.inria.fr/personal/karthik/pubs/
> proscript-tls-tron-2016.pdf
>


Thanks for the reference but this draft paper does not count as a
publication. Yes, there are other published papers that have appeared
during the last year that use the name TLS 1.3, but I think academics will
keep out of this (re)naming debate because it does not matter so much for
us. We are already citing draft versions in our papers, because a proof for
draft 10 does not carry over to draft 18. When the RFC comes out, we'll
start consistently citing the published protocol, whatever it is called.

Again, I'll keep out of the protocol name discussion, but I don't think the
name will add too much confusion for academic works, or put another way, it
will not reduce the confusion which already exists between various draft
versions and the final RFC.


>
>
>> The volume of work that will be published in the hopefully 18 or more
>> years that this draft is in deployment will dwarf the current body of
>> work.  If it doesn't, then we will have completely failed.
>
>
> While more security analysis against whatever-the-new-TLS-is-called will
> certainly happen, I would imagine it would be split against
> whatever-the-next-TLS-version-is-called. And the thing is, a lot of the
> extant research about "TLS 1.3" is fantastic, so much so that I think it
> will be routinely cited. Certainly there will be new research, but much of
> the groundwork has already been laid.
>
> From what I can tell, the main argument for changing the version is to
> *reduce confusion*. I am incredibly unconvinced rebranding TLS 1.3 to TLS
> 4/2017/9000 will actually accomplish the intended goal.
>
> A recent example of what sort of confusion I could see arise: ECMAScript.
> They moved from a numbered branding (ES6/ES7) to a year-based branding
> (ES2016/ES2017). People continue to use both, so now you have to maintain a
> mental mapping of which-version-to-which-year.
>
> The optimal solution to me as far as reducing these sort of mental
> gymnastics goes is to keep the version as "TLS 1.3" and drop the 1.x in the
> next release. This gets the "TLS 4" advocates what they want, just not
> right away, without renaming the current release at the last minute.
>
> --
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Fri, Dec 2, 2016 at 7:57 PM, Scott Schmit  wrote:

> This draft has been in development since April 2014, 2.6 years ago.
> Over that time, the wire protocol has changed multiple times and
> incompatibly.  So not even all of that 2.6 years of details is still
> applicable to the protocol we're going to publish as an RFC.  So why
> would mixing up searched for the final protocol with the draft versions
> be a good thing?
>

The wire format is one thing, but there is work that has been done at a
much higher level referencing "TLS 1.3", e.g. TRON work:

http://prosecco.gforge.inria.fr/personal/karthik/pubs/proscript-tls-tron-2016.pdf


> The volume of work that will be published in the hopefully 18 or more
> years that this draft is in deployment will dwarf the current body of
> work.  If it doesn't, then we will have completely failed.


While more security analysis against whatever-the-new-TLS-is-called will
certainly happen, I would imagine it would be split against
whatever-the-next-TLS-version-is-called. And the thing is, a lot of the
extant research about "TLS 1.3" is fantastic, so much so that I think it
will be routinely cited. Certainly there will be new research, but much of
the groundwork has already been laid.

>From what I can tell, the main argument for changing the version is to
*reduce confusion*. I am incredibly unconvinced rebranding TLS 1.3 to TLS
4/2017/9000 will actually accomplish the intended goal.

A recent example of what sort of confusion I could see arise: ECMAScript.
They moved from a numbered branding (ES6/ES7) to a year-based branding
(ES2016/ES2017). People continue to use both, so now you have to maintain a
mental mapping of which-version-to-which-year.

The optimal solution to me as far as reducing these sort of mental
gymnastics goes is to keep the version as "TLS 1.3" and drop the 1.x in the
next release. This gets the "TLS 4" advocates what they want, just not
right away, without renaming the current release at the last minute.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Scott Schmit]

On Fri, Dec 02, 2016 at 03:35:00AM +, David Benjamin wrote:
> I think TLS 4 makes everything worse, not better.
> 
> In hindsight, renaming SSL 3.1 was a terrible mistake. But TLS 1.2 is going
> to exist for a long time. If we call the next one 4, we have to explain a
> gap in the versioning (1.0, 1.1, 1.2, 4?) and placing 2.0 and 3.0 after 1.2
> becomes even more inviting.
> 
> Short of a time machine so we can call this SSL 3.4, the best fix is to let
> SSL 3.0 fall away. This is already semi-plausible (it's out of all
> browsers) and is only going to become more realistic over time. Certainly
> it will be faster than TLS 1.2 going away and undoing TLS 4's version gap
> problem. (TLS 1.3 even places SSL 3.0 as a MUST NOT, for what little teeth
> that has.)
> 
> Once SSL 3.0 falls away, we'll be left with 1.0, 1.1, 1.2, and 1.3, which
> is a plausible numbering progression. There'll still be the mess with SSL
> being the informal name for the protocol family, but that isn't a numbering
> problem.

Then "TLS 2017" should be even better.  It's neither < 3 nor similar
enough to SSL versions as to be confused with them.

And the shift in versioning strategy is so typical it would probably not
even draw serious notice.

-- 
Scott Schmit


smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Scott Schmit]

On Fri, Dec 02, 2016 at 02:16:16PM -0800, Tony Arcieri wrote:
> On Fri, Dec 2, 2016 at 1:21 PM, Peter Gutmann 
> wrote:
> 
> > The change was proposed long ago, and deferred by the chairs until now.
> > This
> > is just another variant of the inertia argument.
> 
> 
> You keep dismissing this argument out of hand, but I think it has merit.
> 
> I think we can all admit the decision to rename SSL -> TLS is a mistake (to
> the point people are proposing to retroactively re-rename TLS back to SSL).
> 
> There is now a huge body of work which calls the protocol "TLS 1.3" which
> will be cited for years to come. You wrote this whole body of work off as
> the concern of "TLS WG and a small number of people who interact with it"
> as if a move to a different version number comes at zero cost almost as if
> this work doesn't matter, but I have a different view: this is one more bit
> of errata in exactly the same vein as the SSL -> TLS move which anyone
> consulting this body of work will have to contend with.
> 
> You will no doubt disagree, so I'm simply saying it for posterity: keeping
> the version TLS 1.3 is the least confusing option, IMO.

SSL 3.0 was defined in November 1996 (20 years ago).
RFC 7568 (sslv3diediedie) was published in June 2015.
That's about 18.5 years.

TLS 1.0 is still in use, it was standardized in January 1999.
It's not dead yet, but there has been talk of it.
That's almost 18 years ago.

So these protocols tend to last multiple decades (granted, this is a
small sample size, but it's what we've got).

This draft has been in development since April 2014, 2.6 years ago.
Over that time, the wire protocol has changed multiple times and
incompatibly.  So not even all of that 2.6 years of details is still
applicable to the protocol we're going to publish as an RFC.  So why
would mixing up searched for the final protocol with the draft versions
be a good thing?  

Development versions get new names when they get delivered all the time.
Frankly, at $DAYJOB, development versions are always different than the
final delivered version, by definition.  Doing otherwise is poor version
control.

The volume of work that will be published in the hopefully 18 or more
years that this draft is in deployment will dwarf the current body of
work.  If it doesn't, then we will have completely failed.

Finally, at the top of every internet draft, the IETF states:
> Internet-Drafts are draft documents valid for a maximum of six months
> and may be updated, replaced, or obsoleted by other documents at any
> time.  It is inappropriate to use Internet-Drafts as reference
> material or to cite them other than as "work in progress."

So, no, we have *not* been calling the next version of TLS "TLS 1.3" for
2.6 years.  We have been calling it "a work in progress, subject to
change at any time."  Anyone doing otherwise is arguably as confused as
those who don't even know what TLS is.  And there are a lot more of the
latter than the former.

But no, I would not support calling the next TLS version "SSL 4/2017" -- the
harm of invalidating the "SSL is broken, TLS is (more) secure" advice is
too great. I'd support calling it RSSL (really secure ...) before I'd
support that.

-- 
Scott Schmit


smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Dec 2, 2016, at 10:34 PM, Tony Arcieri  wrote:
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
> 
> by 2 December 2016.
> 
> I guess we're at the deadline, but I have a compromise I think makes sense:
> 
> - Keep this version TLS 1.3
> - For the next version of TLS, drop the 1.x and call it TLS 4 

That "next version", will perhaps be the one after the QC crypto-apocalypse...

More seriously I don't expect another TLS version after this for a decade
or so.  The adoption cycle is so long, it makes little sense to rev the
protocol with any frequency.  So get it right now, near-term revisions
seem unlikely.

So I see your proposal as not a compromise, but rather as staying with
the status quo, for better or worse and for quite some time...

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner  wrote:

> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.


I guess we're at the deadline, but I have a compromise I think makes sense:

- Keep this version TLS 1.3
- For the next version of TLS, drop the 1.x and call it TLS 4

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Fri, Dec 2, 2016 at 1:21 PM, Peter Gutmann 
wrote:

> The change was proposed long ago, and deferred by the chairs until now.
> This
> is just another variant of the inertia argument.


You keep dismissing this argument out of hand, but I think it has merit.

I think we can all admit the decision to rename SSL -> TLS is a mistake (to
the point people are proposing to retroactively re-rename TLS back to SSL).

There is now a huge body of work which calls the protocol "TLS 1.3" which
will be cited for years to come. You wrote this whole body of work off as
the concern of "TLS WG and a small number of people who interact with it"
as if a move to a different version number comes at zero cost almost as if
this work doesn't matter, but I have a different view: this is one more bit
of errata in exactly the same vein as the SSL -> TLS move which anyone
consulting this body of work will have to contend with.

You will no doubt disagree, so I'm simply saying it for posterity: keeping
the version TLS 1.3 is the least confusing option, IMO.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Viktor Dukhovni  writes:

>I was with you up to this point, but I do think that going back to SSL is not
>a good idea, and takes us off topic.

It was just something to throw out there, and to point out that no matter what
the WG calls it, the rest of the world will keep calling it SSL.  It's been
twenty years, it's not going to change any more now.

>Opening it up even wider seems like a sure way to get nowhere (which is
>likely status quo TLS 1.3).

Yeah, fair enough.  It would be nice to finally fix a 20-year-old mistake 
though.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Maarten Bodewes  writes:

>The point is we are now indeed on draft 18. Changing the name now is very
>problematic because everybody on the mailinglist already calls it TLS 1.3,
>for a long time and no matter what you do, a lot of us (who are hopefully the
>experts) will keep referring to it under that name.

The change was proposed long ago, and deferred by the chairs until now.  This
is just another variant of the inertia argument.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

On Dec 2, 2016, at 4:10 PM, Peter Gutmann  wrote:
> Ugh, how very geeky,

Really?

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Hubert Kario  writes:

>speaking of confusion, do you know that e-mail clients by "SSL" mean
>"SSL/TLS" and by "TLS" mean "STARTTLS"? (note the port numbers)
>https://sils.unc.edu/it-services/email-faq/outlook
>https://mail.aegee.org/smtp/kmail.html
>https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird

Ugh, how very geeky, all the charm of fetchmail with a GUI bolted on.  The
fact that security geeks suck at UX isn't really proof of anything (other than
that you need to let interaction designers do your UX, not security people).

With Apple Mail, all you have to do is click on "Use Secure Sockets Layer" and
you're done (note the name).  With the Android mailer I use it's not even
that, it's autoconfigured, just point it at your email domain and give a
username and password.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Patrick McManus]

I favor naming the result tls 1.3 - the X in 1.X has effectively become the
modern versioning field and we should stick with that road now as the best
of a bunch of weak options.

-Patrick
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Michael D'Errico]

Aaron Zauner wrote:


(of course I'd opt for SSLv5 just to mess with people).


I'm surprised nobody has yet suggested retroactive renaming:

SSLv4  ==  TLS 1.0
SSLv5  ==  TLS 1.1
SSLv6  ==  TLS 1.2
SSLv7  ==  TLS 1.3

Mike

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Aaron Zauner]

* Sean Turner  [18/11/2016 03:13:23] wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3

Please let's keep it to TLS 1.3 which we have been talking about for
a couple of years now, no-one expects a protocol from this WG with a
different name (of course I'd opt for SSLv5 just to mess with people).

Aaron


signature.asc
Description: Digital signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> after considering all of the good points that have been circulating, I would 
> like to change my vote 


Woah, are you new here? :)

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> Can’t we borrow one from tictoc?

Ever since they merged with NTP, it seems to be lost in a time loop and nobody 
can find it.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ackermann, Michael]

+2
On removing all  references to SSL.


From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of darin.pet...@usbank.com
Sent: Friday, December 2, 2016 1:55 PM
To: Andrei Popov 
Cc: TLS ;  
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

+1 with Andrei.

"That SSL should never be used" is the one clear message we have so going back 
to SSL would muddy those waters too much.  Strong vote for staying with TLS.  
It will become better known over time- especially with the current enterprise 
push to deprecate all SSL versions from use.
Regarding the numbering schema, someone recently mentioned that probably only a 
few hundred of us are aware of the TLS 1.3 nomenclature at this point and I 
would concur with that.  So, after considering all of the good points that have 
been circulating, I would like to change my vote to TLS 2017.  It provides 
clarity, recognizes that it is a major change and pulls us out of the whole 
SSL/TLS numbering confusion/quagmire.

Darin



From:Andrei Popov 
mailto:andrei.po...@microsoft.com>>
To:Daniel Kahn Gillmor 
mailto:d...@fifthhorseman.net>>, Peter Gutmann 
mailto:pgut...@cs.auckland.ac.nz>>, Stephen Farrell 
mailto:stephen.farr...@cs.tcd.ie>>, David Benjamin 
mailto:david...@chromium.org>>, Tony Arcieri 
mailto:basc...@gmail.com>>, 
"mailto:tls@ietf.org>>" mailto:tls@ietf.org>>
Date:        12/02/2016 12:34 PM
Subject:Re: [TLS] Confirming consensus: TLS1.3->TLS*
Sent by:"TLS" mailto:tls-boun...@ietf.org>>




Indeed, "all known versions of SSL are broken and should never be used" is what 
I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann 
mailto:pgut...@cs.auckland.ac.nz>>; Stephen Farrell 
mailto:stephen.farr...@cs.tcd.ie>>; David Benjamin 
mailto:david...@chromium.org>>; Tony Arcieri 
mailto:basc...@gmail.com>>; 
mailto:tls@ietf.org>> mailto:tls@ietf.org>>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of things, 
not only TLS.  Yesterday i got an e-mail from a reputable CA reseller that said 
"Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate format to 
"SSL" just because vendors whose business models revolve around these products 
are confused about terminology.  What else should we rename to "SSL" on that 
basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to turn 
off SSLv3: all known versions of SSL are broken and should never be used.  
Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of TLS 
1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* confusion 
by bikeshedding over the name itself?

  --dkg

___
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls




U.S. BANCORP made the following annotations
-
Electronic Privacy Notice. This e-mail, and any attachments, contains 
information that is, or may be, covered by electronic communications privacy 
laws, and is also confidential and proprietary in nature. If you are not the 
intended recipient, please be advised that you are legally prohibited from 
retaining, using, copying, distributing, or otherwise disclosing this 
information in any manner. Instead, please reply to the sender that you have 
received this communication in error, and then immediately delete it. Thank you 
in advance for your cooperation.

-


The information contained in this communication is highly confidential and is 
intended solely for the use of the individual(s) to whom this communication is 
directed. If you are not the intended recipient, you are hereby notified that 
any viewing, copying, disclosure or distribution of this information is 
prohibited. Please notify the sender, by electronic mail or telephone, of any 
unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are 
nonprofit corporations and independent licensees of the Blue Cross and Blue 
Shield Association.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Dec 2, 2016, at 3:33 AM, Peter Gutmann  wrote:
> 
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?

I was with you up to this point, but I do think that going back to SSL is
not a good idea, and takes us off topic.

Is there any glimmer of rough consensus on:

 * TLS 1.3 vs.
 * TLS 4   vs.
 * TLS 2017 vs.
 * TLS 2.0?

Opening it up even wider seems like a sure way to get nowhere (which is
likely status quo TLS 1.3).

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[darin . pettis]

+1 with Andrei. 

"That SSL should never be used" is the one clear message we have so going 
back to SSL would muddy those waters too much.  Strong vote for staying 
with TLS.  It will become better known over time- especially with the 
current enterprise push to deprecate all SSL versions from use. 
Regarding the numbering schema, someone recently mentioned that probably 
only a few hundred of us are aware of the TLS 1.3 nomenclature at this 
point and I would concur with that.  So, after considering all of the good 
points that have been circulating, I would like to change my vote to TLS 
2017.  It provides clarity, recognizes that it is a major change and pulls 
us out of the whole SSL/TLS numbering confusion/quagmire.

Darin



From:   Andrei Popov 
To: Daniel Kahn Gillmor , Peter Gutmann 
, Stephen Farrell , 
David Benjamin , Tony Arcieri , 
"" 
Date:   12/02/2016 12:34 PM
Subject:Re: [TLS] Confirming consensus: TLS1.3->TLS*
Sent by:"TLS" 



Indeed, "all known versions of SSL are broken and should never be used" is 
what I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann ; Stephen Farrell 
; David Benjamin ; Tony 
Arcieri ;  
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it 
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of 
things, not only TLS.  Yesterday i got an e-mail from a reputable CA 
reseller that said "Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate 
format to "SSL" just because vendors whose business models revolve around 
these products are confused about terminology.  What else should we rename 
to "SSL" on that basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to 
turn off SSLv3: all known versions of SSL are broken and should never be 
used.  Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of 
TLS 1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* 
confusion by bikeshedding over the name itself?

   --dkg

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls




U.S. BANCORP made the following annotations
-
Electronic Privacy Notice. This e-mail, and any attachments, contains 
information that is, or may be, covered by electronic communications privacy 
laws, and is also confidential and proprietary in nature. If you are not the 
intended recipient, please be advised that you are legally prohibited from 
retaining, using, copying, distributing, or otherwise disclosing this 
information in any manner. Instead, please reply to the sender that you have 
received this communication in error, and then immediately delete it. Thank you 
in advance for your cooperation.

-
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Indeed, "all known versions of SSL are broken and should never be used" is what 
I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann ; Stephen Farrell 
; David Benjamin ; Tony 
Arcieri ;  
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it 
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of things, 
not only TLS.  Yesterday i got an e-mail from a reputable CA reseller that said 
"Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate format to 
"SSL" just because vendors whose business models revolve around these products 
are confused about terminology.  What else should we rename to "SSL" on that 
basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to turn 
off SSLv3: all known versions of SSL are broken and should never be used.  
Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of TLS 
1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* confusion 
by bikeshedding over the name itself?

   --dkg

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 2 Dec 2016, at 19:58, David Benjamin  wrote:
> 
> (To clarify, I was not at all suggesting we go back to SSL. If we had a time 
> machine, I might make other suggestions, but as far as I know we do not.)

Can’t we borrow one from tictoc?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Benjamin]

(To clarify, I was not at all suggesting we go back to SSL. If we had a
time machine, I might make other suggestions, but as far as I know we do
not.)

On Fri, Dec 2, 2016 at 12:45 PM Andrei Popov 
wrote:

> Not that I can speak for the whole of Microsoft, but I would not drop TLS
> support in Windows if it were renamed "SSL":).
>
> However, "transport layer security" makes a lot more sense to me than
> "secure sockets layer" because the latter seems to imply network
> socket-style API, which is not a requirement of this protocol.
>
> Cheers,
>
> Andrei
>
> -Original Message-
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
> Sent: Friday, December 2, 2016 12:33 AM
> To: Stephen Farrell ; David Benjamin <
> david...@chromium.org>; Tony Arcieri ;  <
> tls@ietf.org>
> Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*
>
> Stephen Farrell  writes:
>
> >IIRC that was sort-of a condition for adoption of the work in the IETF
> >20 years ago, when there were two different protocols already being
> >deployed and the proponents of one of them said "we'll use that other
> >one (SSL) but you gotta change the name of the standard or we can't get
> >our  to agree to change to all use the same thing."
>
> It was Netscape with SSL vs. Microsoft with PCT.
>
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?
>
> Peter.
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Not that I can speak for the whole of Microsoft, but I would not drop TLS 
support in Windows if it were renamed "SSL":).

However, "transport layer security" makes a lot more sense to me than "secure 
sockets layer" because the latter seems to imply network socket-style API, 
which is not a requirement of this protocol.

Cheers,

Andrei

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
Sent: Friday, December 2, 2016 12:33 AM
To: Stephen Farrell ; David Benjamin 
; Tony Arcieri ;  

Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Stephen Farrell  writes:

>IIRC that was sort-of a condition for adoption of the work in the IETF 
>20 years ago, when there were two different protocols already being 
>deployed and the proponents of one of them said "we'll use that other 
>one (SSL) but you gotta change the name of the standard or we can't get 
>our  to agree to change to all use the same thing."

It was Netscape with SSL vs. Microsoft with PCT.

If no-one from Microsoft has any objections, can we just rename it back to what 
it's always been for everyone but us, SSL?

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 16:12:05 CET Salz, Rich wrote:
> > Here's a useful and effective meme for convincing bosses that it's ok to
> > turn off SSLv3: all known versions of SSL are broken and should never be
> > used. Please do not break this meme by trying to rename TLS to SSL.
> 
> Is "all known versions before SSL 4" that much worse?

given:
1. we have people that need support for SSLv3 and SSLv2 style Client Hello 
messages (The Web is not the only place where SSL/TLS is deployed), let alone 
TLS 1.0
2. TLS 1.2 is not broken (so the statement is demonstrably false)

yes, it is much worse

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Rob Stradling]

On 02/12/16 14:53, Thomas Pornin wrote:


Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates".


It's worse than that.  Many customers, and even some salespeople, seem 
to think that we sell "SSLs".


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> Here's a useful and effective meme for convincing bosses that it's ok to turn
> off SSLv3: all known versions of SSL are broken and should never be used.
> Please do not break this meme by trying to rename TLS to SSL.

Is "all known versions before SSL 4" that much worse?

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Daniel Kahn Gillmor]

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of
things, not only TLS.  Yesterday i got an e-mail from a reputable CA
reseller that said "Your SSL is expiring in two days!  Buy a new SSL
now!"

Surely no one is proposing that we also re-name the X.509 certificate
format to "SSL" just because vendors whose business models revolve
around these products are confused about terminology.  What else should
we rename to "SSL" on that basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to
turn off SSLv3: all known versions of SSL are broken and should never be
used.  Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of
TLS 1.3 or TLS 4 or TLS 2017.  But can we please not create *even more*
confusion by bikeshedding over the name itself?

   --dkg


signature.asc
Description: PGP signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Maarten Bodewes]

Hi all,

The point is we are now indeed on draft 18. Changing the name now is very
problematic because everybody on the mailinglist already calls it TLS 1.3,
for a long time and no matter what you do, a lot of us (who are hopefully
the experts) will keep referring to it under that name.

If you want a name change, introduce it early (as editor of the RFC, these
guys should be able to make this kind of decision) or otherwise keep the
name.

The same kind of discussion was on the SHA-3 mailing list, where some
argued for AHS instead of SHA-3. The same problem ensued there and SHA-3
was kept in the end (although I don't know how the decision was made at
that time).

Further discussions continue at s...@ietf.org ;)

Regards,
Maarten

2016-12-02 15:54 GMT+01:00 Ted Lemon :

> The bottom line is that this is an unanswerable question.   My advice
> is to not change the name, because I think more name changes = more
> confusion and it is _way_ too late to put TLS back in the box.   But
> what do I know--I'm just an end user!   :)
>
> On Fri, Dec 2, 2016 at 9:42 AM, Hubert Kario  wrote:
> > On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
> >> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not
> logical
> >> > ordering
> >>
> >> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is
> that
> >> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
> >> doing here.  And the quotes around the last SSL do not belong there.
> >
> >> You can say that calling it "TLS 1.3" promulgates the illogical
> ordering, or
> >> you could say it continues a renumbering.  A renumbering that the world
> has
> >> never recognized or understood.  You can say that "SSL 4" confuses
> people
> >> twice, or you can say that it restores sanity to a 20-year glitch and
> >> starts us using the same name that the rest of the world, *and our
> >> industry,* uses.
> >
> > what it does is it introduces a second glitch
> >
> > speaking of confusion, do you know that e-mail clients by "SSL" mean
> "SSL/TLS"
> > and by "TLS" mean "STARTTLS"?
> > (note the port numbers)
> > https://sils.unc.edu/it-services/email-faq/outlook
> > https://mail.aegee.org/smtp/kmail.html
> > https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> >
> > ___
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

The bottom line is that this is an unanswerable question.   My advice
is to not change the name, because I think more name changes = more
confusion and it is _way_ too late to put TLS back in the box.   But
what do I know--I'm just an end user!   :)

On Fri, Dec 2, 2016 at 9:42 AM, Hubert Kario  wrote:
> On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
>> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
>> > ordering
>>
>> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that
>> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
>> doing here.  And the quotes around the last SSL do not belong there.
>
>> You can say that calling it "TLS 1.3" promulgates the illogical ordering, or
>> you could say it continues a renumbering.  A renumbering that the world has
>> never recognized or understood.  You can say that "SSL 4" confuses people
>> twice, or you can say that it restores sanity to a 20-year glitch and
>> starts us using the same name that the rest of the world, *and our
>> industry,* uses.
>
> what it does is it introduces a second glitch
>
> speaking of confusion, do you know that e-mail clients by "SSL" mean "SSL/TLS"
> and by "TLS" mean "STARTTLS"?
> (note the port numbers)
> https://sils.unc.edu/it-services/email-faq/outlook
> https://mail.aegee.org/smtp/kmail.html
> https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Thomas Pornin]

On Fri, Dec 02, 2016 at 02:17:24PM +, Ackermann, Michael wrote:
> In Enterprise circles TLS is an unknown acronym and as painful as it
> is,  we must usually refer to it as SSL,  before anyone knows what we
> are talking about.  Software products are guilty too.   Parameter
> fields frequently reference SSL.   :(

Actually there is a large variety in what I encounter (I work in a big
financial institution, and I have gone through other big organisations).

Some will just know "SSL" and talk about SSL for all protocols in the
"SSL" family (which so far includes SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
and TLS 1.2).

Some will use "SSL" for SSL 2.0 and SSL 3.0, and "TLS" for the TLS 1.x
versions. They then ban "SSL" and want to enforce "TLS". When they
encounter regulations that say "don't use TLS 1.0, only TLS 1.1+", they
get confused.

Some people and software interfaces use "SSL vs TLS" in a completely
different way, in the context of protocols like IMAP or FTPS: they use
"SSL" to mean "SSL handshake first, then protocol inside it", and "TLS"
to mean "protocol first and a STARTTLS command". This distinction is
orthogonal to protocol versions.

Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates". In a similar vein, the 'S' in 'HTTPS' does
_not_ mean "SSL", but not many people know that.

When I encounter someone who knows the differences between all versions,
then I am in front of a mirror. The taxonomy is confused and
complicated, and people who are maniacal enough to learn and remember it
are very rare.



If we look at what Microsoft did when it encountered the same kind of
terminology mess, it decided that the number following 2000 was "XP".
Lately, for server versions, Microsoft uses a year-based numbering,
and even so, they depart from it at times, e.g. when they decided that
"2009" was really "2008R2".

In practice, people don't have problem with gaps in numbering; they
are even eager to _create_ gaps when convenient, for instance by
not acknowledging the existence of Windows Vista.


So my conclusion is that terminology is essentially fluid and chosen by
people in the field, without any form of concertation and with a trend
toward simplification: the _operational_ notion is to lump versions into
two groups, the ones that must be used and the ones that must not be
used. There is about nothing IETF can do about it (though a really
poorly chosen name might increase confusion even further). The only
naming scheme which is kinda coherent is the numbering scheme on the
wire (3.0, 3.1...), and even that one fails to capture SSL 2.0 (which is
in fact 0.2 on the wire).


--Thomas Pornin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
> > ordering
> 
> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that
> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
> doing here.  And the quotes around the last SSL do not belong there.

> You can say that calling it "TLS 1.3" promulgates the illogical ordering, or
> you could say it continues a renumbering.  A renumbering that the world has
> never recognized or understood.  You can say that "SSL 4" confuses people
> twice, or you can say that it restores sanity to a 20-year glitch and
> starts us using the same name that the rest of the world, *and our
> industry,* uses.

what it does is it introduces a second glitch

speaking of confusion, do you know that e-mail clients by "SSL" mean "SSL/TLS" 
and by "TLS" mean "STARTTLS"?
(note the port numbers)
https://sils.unc.edu/it-services/email-faq/outlook
https://mail.aegee.org/smtp/kmail.html
https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ackermann, Michael]

+1  On Ted's comments. 

In Enterprise circles TLS is an unknown acronym and as painful as it is,  we 
must usually refer to it as SSL,  before anyone knows what we are talking 
about.  
Software products are guilty too.   Parameter fields frequently reference SSL.  
 :(



-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ted Lemon
Sent: Friday, December 2, 2016 8:59 AM
To: Salz, Rich 
Cc: tls@ietf.org
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Rich, I don't think there is any explanation that can be given for the
assertion without collecting a lot of data.   That said, the objection
makes sense to me.   I certainly think of SSL as poison.   Of course,
the average Joe on the street doesn't even know what TLS stands for,
but the people who are deciding what software to run do.   In that
audience, adding confusion with a new name change is probably bad.
So what Hubert said seems self-evident to me, not requiring any explanation.

On Fri, Dec 2, 2016 at 8:47 AM, Salz, Rich  wrote:
>> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , 
>> it's logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring 
>> more confusion.
>
> Please explain that assertion.
>
> --
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richs...@jabber.at Twitter: RichSalz 
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


The information contained in this communication is highly confidential and is 
intended solely for the use of the individual(s) to whom this communication is 
directed. If you are not the intended recipient, you are hereby notified that 
any viewing, copying, disclosure or distribution of this information is 
prohibited. Please notify the sender, by electronic mail or telephone, of any 
unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are 
nonprofit corporations and independent licensees of the Blue Cross and Blue 
Shield Association.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical 
> ordering

So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that 
SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're doing 
here.  And the quotes around the last SSL do not belong there.

You can say that calling it "TLS 1.3" promulgates the illogical ordering, or 
you could say it continues a renumbering.  A renumbering that the world has 
never recognized or understood.  You can say that "SSL 4" confuses people 
twice, or you can say that it restores sanity to a 20-year glitch and starts us 
using the same name that the rest of the world, *and our industry,* uses.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 14:04:36 CET Salz, Rich wrote:
> Nobody knows the difference tween 1.0 1.1 1.2
> 
> SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that
> everyone, including our industry, uses.  If someone sees "TLS 1.2" and
> thinks "wow, that's so much worse than SSL 4 because the number is so much
> smaller," then isn't that a good thing, increasing pressure to move
> forward?

Or he thinks "stupid 'experts' pushing stuff down our throats by inflating 
numbers".

Certainly not all of them will think the same thing.
 
> I would much rather spend time explaining "no, really TLS 1.2 is not that
> bad" than have to spend more decades explaining "no, really, that thing the
> world things of as SSL is really TLS and 1.3 is really better than what you
> think you should have."

Except in 10 years we may be explaining that "no, TLS 1.3/2.0/4/2017 alone is 
completely insecure, you need to deploy post-quantum crypto on TLS 
1.2/2.0/4/2017"
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

"Salz, Rich"  writes:


People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's logical
that SSL 1.3 continues that trend. creating "SSL" 4 will bring more confusion.


Please explain that assertion.


I was going to ask that too, the quoted text seems...,  well, gibberish to me.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 13:47:20 CET Salz, Rich wrote:
> > People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's
> > logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring
> > more confusion.
> 
> Please explain that assertion.

SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4
is not logical ordering

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

Nobody knows the difference tween 1.0 1.1 1.2

SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that 
everyone, including our industry, uses.  If someone sees "TLS 1.2" and thinks 
"wow, that's so much worse than SSL 4 because the number is so much smaller," 
then isn't that a good thing, increasing pressure to move forward?

I would much rather spend time explaining "no, really TLS 1.2 is not that bad" 
than have to spend more decades explaining "no, really, that thing the world 
things of as SSL is really TLS and 1.3 is really better than what you think you 
should have."
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

Rich, I don't think there is any explanation that can be given for the
assertion without collecting a lot of data.   That said, the objection
makes sense to me.   I certainly think of SSL as poison.   Of course,
the average Joe on the street doesn't even know what TLS stands for,
but the people who are deciding what software to run do.   In that
audience, adding confusion with a new name change is probably bad.
So what Hubert said seems self-evident to me, not requiring any
explanation.

On Fri, Dec 2, 2016 at 8:47 AM, Salz, Rich  wrote:
>> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's 
>> logical
>> that SSL 1.3 continues that trend. creating "SSL" 4 will bring more 
>> confusion.
>
> Please explain that assertion.
>
> --
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richs...@jabber.at Twitter: RichSalz
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's 
> logical
> that SSL 1.3 continues that trend. creating "SSL" 4 will bring more confusion.

Please explain that assertion.

--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 03:12:41 CET Peter Gutmann wrote:
> Tony Arcieri  writes:
> >There's already ample material out there (papers, presentations, mailing
> >list discussions, etc) which talks about "TLS 1.3".
> 
> In other words, the TLS WG and a small number of people who interact with it
> call it TLS 1.3.  That's hardly a strong argument when most of the rest of
> the world doesn't even call it TLS.
> 
> In fact that's something that's come up repeatedly in the bikeshedding so
> far, there are some really good, sound arguments for calling it TLS/SSL 4
> or TLS/SSL 2017, while pretty much the only reasons I've seen for TLS 1.3
> are inertia, "we've always called it that"/"I don't want to change"/etc.

People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's 
logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring more 
confusion.

In 10 years time, when the only way for you to get anything that can talk SSL 
3 is to run EOL software and hardware, then we can create "SSL" 4. But not 
when one fifth of the Internet still supports SSL 3.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Matt Caswell]

On 2 December 2016 at 09:22, Yoav Nir  wrote:
>
>> On 2 Dec 2016, at 10:33, Peter Gutmann  wrote:
>>
>> Stephen Farrell  writes:
>>
>>> IIRC that was sort-of a condition for adoption of the work in the IETF 20
>>> years ago, when there were two different protocols already being deployed 
>>> and
>>> the proponents of one of them said "we'll use that other one (SSL) but you
>>> gotta change the name of the standard or we can't get our  to agree
>>> to change to all use the same thing."
>>
>> It was Netscape with SSL vs. Microsoft with PCT.
>>
>> If no-one from Microsoft has any objections, can we just rename it back to
>> what it's always been for everyone but us, SSL?
>
> Is that even possible? The way I’ve heard it “SSL” is a registered trademark 
> owned by Netscape (now AOL), so we can’t use it unless AOL lawyers sign off 
> on that. It might be wrong, but if it’s true - good luck with that.

It does not appear on this list of AOL trademarks:

http://legal.aol.com/trademarks/

Searching here does not turn up any relevant *registered* trademarks:

http://tmsearch.uspto.gov/bin/showfield?f=toc&state=4803%3Aaagjih.1.1&p_search=searchss&p_L=50&BackReference=&p_plural=yes&p_s_PARA1=&p_tagrepl~%3A=PARA1%24LD&expr=PARA1+AND+PARA2&p_s_PARA2=SSL&p_tagrepl~%3A=PARA2%24COMB&p_op_ALL=AND&a_default=search&a_search=Submit+Query&a_search=Submit+Query


It does not appear to be a current trademark if it ever was one. IANAL
but IIUC a trademark is only valid for as long as it is in use and
defended.

Matt

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Yoav Nir  writes:

>The way I’ve heard it “SSL” is a registered trademark owned by Netscape (now
>AOL), so we can’t use it unless AOL lawyers sign off on that. It might be
>wrong, but if it’s true - good luck with that.

http://tmsearch.uspto.gov/bin/showfield?f=toc&state=4810%3Ajoxwrl.1.1&p_search=searchss&p_L=50&BackReference=&p_plural=yes&p_s_PARA1=&p_tagrepl%7E%3A=PARA1%24LD&expr=PARA1+AND+PARA2&p_s_PARA2=ssl&p_tagrepl%7E%3A=PARA2%24COMB&p_op_ALL=AND&a_default=search&a_search=Submit+Query&a_search=Submit+Query
 

http://tmsearch.uspto.gov/bin/showfield?f=toc&state=4805%3A16epd1.1.1&p_search=searchstr&BackReference=&p_L=100&p_plural=yes&p_s_PARA1=SSL&p_tagrepl%7E%3A=PARA1%24ALL&expr=PARA1+and+PARA2&p_s_PARA2=security&p_tagrepl%7E%3A=PARA2%24ALL&a_default=search&f=toc&state=4805%3A16epd1.1.1&a_search=Submit+Query

http://tmsearch.uspto.gov/bin/showfield?f=toc&state=4805%3A16epd1.4.1&p_search=searchstr&BackReference=&p_L=100&p_plural=yes&p_s_PARA1=%22secure+sockets+layer%22&p_tagrepl%7E%3A=PARA1%24ALL&expr=PARA1+or+PARA2&p_s_PARA2=&p_tagrepl%7E%3A=PARA2%24ALL&a_default=search&f=toc&state=4805%3A16epd1.4.1&a_search=Submit+Query

Doesn't look like it.  And even if it was, Netscape's failure to defend it
against infringement by half the planet would probably make its enforceability
dubious.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 2 Dec 2016, at 10:33, Peter Gutmann  wrote:
> 
> Stephen Farrell  writes:
> 
>> IIRC that was sort-of a condition for adoption of the work in the IETF 20
>> years ago, when there were two different protocols already being deployed and
>> the proponents of one of them said "we'll use that other one (SSL) but you
>> gotta change the name of the standard or we can't get our  to agree
>> to change to all use the same thing."
> 
> It was Netscape with SSL vs. Microsoft with PCT.
> 
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?

Is that even possible? The way I’ve heard it “SSL” is a registered trademark 
owned by Netscape (now AOL), so we can’t use it unless AOL lawyers sign off on 
that. It might be wrong, but if it’s true - good luck with that.

Yoav

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Stephen Farrell  writes:

>IIRC that was sort-of a condition for adoption of the work in the IETF 20
>years ago, when there were two different protocols already being deployed and
>the proponents of one of them said "we'll use that other one (SSL) but you
>gotta change the name of the standard or we can't get our  to agree
>to change to all use the same thing."

It was Netscape with SSL vs. Microsoft with PCT.

If no-one from Microsoft has any objections, can we just rename it back to
what it's always been for everyone but us, SSL?

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Stephen Farrell]

On 02/12/16 03:35, David Benjamin wrote:
> In hindsight, renaming SSL 3.1 was a terrible mistake.

IIRC that was sort-of a condition for adoption of the work
in the IETF 20 years ago, when there were two different
protocols already being deployed and the proponents of one
of them said "we'll use that other one (SSL) but you gotta
change the name of the standard or we can't get our 
to agree to change to all use the same thing."

So changing to TLS was maybe a mistake or maybe not as it
allowed us to end up with one protocol with two names and
not two (or more) protocols.

Cheers,
S.



smime.p7s
Description: S/MIME Cryptographic Signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Bill Frantz]

On 12/2/16 at 8:48 PM, rs...@akamai.com (Salz, Rich) wrote:


And also, the world will not care about a gap in numbering.  Nobody cared that 
there was no Windows 9.


If we go with 2017, we can tell the world that by using the year 
the standard was approved, instead of a confusing set of names 
and numbers, we are eliminating any confusion about which 
version is the most recent.


Cheers - Bill

---
Bill Frantz| gets() remains as a monument | Periwinkle
(408)356-8506  | to C's continuing support of | 16345 
Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, 
CA 95032


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> If we call the next one 4, we have to explain a gap in the versioning (1.0, 
> 1.1, 1.2, 4?) and placing 2.0 and 3.0 after 1.2 becomes even more inviting.

No we don't have to explain it.  Most of the world isn't OCD types like those 
of us in this field.

> Once SSL 3.0 falls away, we'll be left with 1.0, 1.1, 1.2, and 1.3, which is 
> a plausible numbering progression. There'll still be the mess with SSL being 
> the informal name for the protocol family, but that isn't a numbering problem.

Once SSL 3.0 falls away, the industry will still be calling the protocol SSL.  
Except now the common name and the real name have no relationship.

And also, the world will not care about a gap in numbering.  Nobody cared that 
there was no Windows 9.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> In other words, the TLS WG and a small number of people who interact with
> it call it TLS 1.3.  That's hardly a strong argument when most of the rest of 
> the
> world doesn't even call it TLS.

Strongly agreed

> pretty much the only reasons I've seen for TLS 1.3 are
> inertia, "we've always called it that"/"I don't want to change"/etc.

Yes.

Think outside the community.  The world calls it SSL.  Many of the vendors in 
this industry also call it SSL.

SSL 4 or greater.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Benjamin]

On Thu, Dec 1, 2016 at 10:12 PM Peter Gutmann 
wrote:

> Tony Arcieri  writes:
>
> >There's already ample material out there (papers, presentations, mailing
> list
> >discussions, etc) which talks about "TLS 1.3".
>
> In other words, the TLS WG and a small number of people who interact with
> it
> call it TLS 1.3.  That's hardly a strong argument when most of the rest of
> the
> world doesn't even call it TLS.
>
> In fact that's something that's come up repeatedly in the bikeshedding so
> far,
> there are some really good, sound arguments for calling it TLS/SSL 4 or
> TLS/SSL 2017, while pretty much the only reasons I've seen for TLS 1.3 are
> inertia, "we've always called it that"/"I don't want to change"/etc.


I think TLS 4 makes everything worse, not better.

In hindsight, renaming SSL 3.1 was a terrible mistake. But TLS 1.2 is going
to exist for a long time. If we call the next one 4, we have to explain a
gap in the versioning (1.0, 1.1, 1.2, 4?) and placing 2.0 and 3.0 after 1.2
becomes even more inviting.

Short of a time machine so we can call this SSL 3.4, the best fix is to let
SSL 3.0 fall away. This is already semi-plausible (it's out of all
browsers) and is only going to become more realistic over time. Certainly
it will be faster than TLS 1.2 going away and undoing TLS 4's version gap
problem. (TLS 1.3 even places SSL 3.0 as a MUST NOT, for what little teeth
that has.)

Once SSL 3.0 falls away, we'll be left with 1.0, 1.1, 1.2, and 1.3, which
is a plausible numbering progression. There'll still be the mess with SSL
being the informal name for the protocol family, but that isn't a numbering
problem.

David
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Tony Arcieri  writes:

>There's already ample material out there (papers, presentations, mailing list
>discussions, etc) which talks about "TLS 1.3".

In other words, the TLS WG and a small number of people who interact with it
call it TLS 1.3.  That's hardly a strong argument when most of the rest of the
world doesn't even call it TLS.

In fact that's something that's come up repeatedly in the bikeshedding so far,
there are some really good, sound arguments for calling it TLS/SSL 4 or
TLS/SSL 2017, while pretty much the only reasons I've seen for TLS 1.3 are
inertia, "we've always called it that"/"I don't want to change"/etc.

Peter.

  
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Watson Ladd]

On Thu, Dec 1, 2016 at 6:16 PM, Tony Arcieri  wrote:
> On Wed, Nov 30, 2016 at 8:43 PM, Viktor Dukhovni 
> wrote:
>>
>> > I actually completely agree with Timothy Jackson's recent posting:
>> >
>> >   After 15 years, everyone but us still calls it SSL. We need to
>> >   admit that we lost the marketing battle and plan for a world where
>> >   everyone calls “TLS X” “SSL X”. Even “new” implementations call
>> >   themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or
>> >   “BoringTLS”.
>>
>> I'll drink to that!
>
>
> I will also +1 this and add that if the goal is to reduce confusion, a last
> minute renaming of TLS 1.3 to something else probably won't accomplish that,
> but will rather create more confusion. There's already ample material out
> there (papers, presentations, mailing list discussions, etc) which talks
> about "TLS 1.3". Rebranding it now would add an additional bit of errata
> everyone needs to learn if they ever encountered the "TLS 1.3" version in
> any of these materials. And I think the whole SSL/TLS thing is errata
> enough.

So what should X be in above email? Clearly it should be \geq 4.

>
> --
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Wed, Nov 30, 2016 at 8:43 PM, Viktor Dukhovni 
wrote:

> > I actually completely agree with Timothy Jackson's recent posting:
> >
> >   After 15 years, everyone but us still calls it SSL. We need to
> >   admit that we lost the marketing battle and plan for a world where
> >   everyone calls “TLS X” “SSL X”. Even “new” implementations call
> >   themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or
> >   “BoringTLS”.
>
> I'll drink to that!


I will also +1 this and add that if the goal is to reduce confusion, a last
minute renaming of TLS 1.3 to something else probably won't accomplish
that, but will rather create more confusion. There's already ample material
out there (papers, presentations, mailing list discussions, etc) which
talks about "TLS 1.3". Rebranding it now would add an additional bit of
errata everyone needs to learn if they ever encountered the "TLS 1.3"
version in any of these materials. And I think the whole SSL/TLS thing is
errata enough.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Nov 30, 2016, at 11:28 PM, Peter Gutmann  wrote:
> 
> I actually completely agree with Timothy Jackson's recent posting:
> 
>   After 15 years, everyone but us still calls it SSL. We need to 
>   admit that we lost the marketing battle and plan for a world where 
>   everyone calls “TLS X” “SSL X”. Even “new” implementations call 
>   themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or 
>   “BoringTLS”.

I'll drink to that!

I also find it amusing that muttered under one's breath, with just
a touch of voicing on the "s" sounds, SSL sounds rather like "azazel",
which seems rather apt:

  https://en.wikipedia.org/wiki/Azazel

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Nick Sullivan  writes:

>I took a very unofficial Twitter poll on this subject:
>https://twitter.com/grittygrease/status/80364408215424

Given the lack of context for the question (an out-of-the-blue query
to a random bunch of people on Twitter), I think the inevitable TLSy 
McTLSface (given as Crypty McCryptFace in one response) is kind of 
representative of the quality of responses...

I actually completely agree with Timothy Jackson's recent posting:

  After 15 years, everyone but us still calls it SSL. We need to 
  admit that we lost the marketing battle and plan for a world where 
  everyone calls “TLS X” “SSL X”. Even “new” implementations call 
  themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or 
  “BoringTLS”.

Spurred by that, I've been watching out for any uses of $protocol-
name that I come across in news, books, journals, blogs, whatever.
It's pretty clear cut: What we call TLS, the rest of the world calls
SSL.  The only place where it was referred to specifically as TLS
was in IETF WG postings and in conference papers.  To the rest of
the world, the protocol is SSL.  So given that the world will know 
it as SSL , it had better have a number that makes 
explicit what precedence it takes, either 4 or 2017.  Whatever it
is, it needs to be something that can be ranked against "SSL" and
"SSL 3" and be an obvious improvement.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Nick Sullivan]

I took a very unofficial Twitter poll on this subject:
https://twitter.com/grittygrease/status/80364408215424

Nick

On Tue, Nov 29, 2016 at 5:47 AM Raja ashok  wrote:

> I feel we can go ahead with TLS 1.3.
>
> Or else TLS 3.4, because anyway we send 0x0304 on wire for TLS 1.3.
>
>
>
> I hope all other three options (TLS 2.0, TLS 2 and TLS 4) will make
> confusion with SSL versions for end user.
>
>
> --
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: image001.jpg]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
>
> http://www.huawei.com
> --
>
> 本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
> 的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
>
>
>
>
> -Original Message-
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Sean Turner
> Sent: 18 November 2016 07:43
> To: 
> Subject: [TLS] Confirming consensus: TLS1.3->TLS*
>
>
>
> At IETF 97, the chairs lead a discussion to resolve whether the WG should
> rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
> .
>
>
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
>
>
> - Leave it TLS 1.3
>
> - Rebrand TLS 2.0
>
> - Rebrand TLS 2
>
> - Rebrand TLS 4
>
>
>
> by 2 December 2016.
>
>
>
> Thanks,
>
> J&S
>
> ___
>
> TLS mailing list
>
> TLS@ietf.org
>
> https://www.ietf.org/mailman/listinfo/tls
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Raja ashok]

I feel we can go ahead with TLS 1.3.

Or else TLS 3.4, because anyway we send 0x0304 on wire for TLS 1.3.



I hope all other three options (TLS 2.0, TLS 2 and TLS 4) will make confusion 
with SSL versions for end user.




Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]

Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com

本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
This e-mail and its attachments contain confidential information from HUAWEI, 
which
is intended only for the person or entity whose address is listed above. Any 
use of the
information contained herein in any way (including, but not limited to, total 
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify 
the sender by
phone or email immediately and delete it!





-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Sean Turner
Sent: 18 November 2016 07:43
To: 
Subject: [TLS] Confirming consensus: TLS1.3->TLS*



At IETF 97, the chairs lead a discussion to resolve whether the WG should 
rebrand TLS1.3 to something else.  Slides can be found @ 
https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.



The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
the list so please let the list know your top choice between:



- Leave it TLS 1.3

- Rebrand TLS 2.0

- Rebrand TLS 2

- Rebrand TLS 4



by 2 December 2016.



Thanks,

J&S

___

TLS mailing list

TLS@ietf.org

https://www.ietf.org/mailman/listinfo/tls
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Timothy Jackson]

At this point, my personal opinion is to move on from TLS 1.3 to either TLS 
4/4.0 or TLS 2017.

After 15 years, everyone but us still calls it SSL. We need to admit that we 
lost the marketing battle and plan for a world where everyone calls “TLS X” 
“SSL X”. Even “new” implementations call themselves “LibreSSL” and “BoringSSL” 
rather than “LibreTLS” or “BoringTLS”.

As SSL is removed from products, we’re likely to get more and more questions 
“why am I using SSL 1.2, when I thought SSL 3 was broken?” This is a 
*legitimate* question by a user who is educated enough to know that “SSL 3 is 
bad” but has more important things to remember than the distinction between SSL 
and TLS. As others have noted, TLS 4 fixes this when users call it SSL 4, which 
they definitely will.

Tim

On 11/25/16, 6:43 AM, "TLS on behalf of Dan Brown"  wrote:

I don't oppose any of the 4 given options, but I slightly prefer TLS 2.0, 
it seems simple and clear.  

In my opinion, the whole SSL vs TLS confusion needs better education to 
confront, version numbers (even dates) alone might not be enough.  Renaming 
*SSL products to *TLS should help.  Avoiding "SSL/TLS" might help.

Since others have proposed new options, how about TLS 2.017? Using the date 
has benefits, but the actual crypto changes are much more important, so the 
decimal makes that point.  An old crypto principle is that older is better 
(among equally unbroken options) -- but naming new stuff is just not enough to 
rid us of broken old stuff, so putting dates in names might not undermine this 
principle.  For future naming, on minor changes (or even pre-scheduled reviews 
with no changes), update the date part, on major changes, start from scratch 
(as in 3.2024, or even use different letters ... ).  

By the way, I'm sorry if my opinion diverges from the currently forming 
consensus.

Just my $0.02.
  
Dan

PS Just to be clear, if votes are to be tallied, my vote on this issue 
should be weighted quite low (i.e. 0, unless other votes are weighted low too, 
and some kind of tie-breaker is needed), for at least three reasons: I have not 
followed the TLS 1.3/2.0 spec closely (i.e., I had no part in building the 
shed); I have nearly zero experience dealing with user interpretation (i.e. 
marketing) of protocol names; my preference is weak. (Enough to deserve a 
negative weight, if that were not cheatable;)

PPS I've said before that I prefer TLC(rypto) to TLS(ecurity), but that's 
unlikely to fly, and it may be okay to grandfather this tradition.  (I hope 
names of future crypto protocols (that TLS WG might work on) can be more 
specific and realistic.)

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Dave Garrett
Sent: Tuesday, November 22, 2016 5:07 PM
    To: tls@ietf.org
    Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, 
personally, I don't see a strong consensus building here. Leaving the bikeshed 
unpainted seems like the option we're headed for, at this rate. I'm fine with 
TLS 1.3 if that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the 
"fourth version of TLS" message. It makes a kind of messy sense that's kind of 
fitting for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the 
context of the title and messaging, not actually replacing the version number 
itself. I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 
1.3 and changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the 
> major version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a 
> TLS 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner  wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG 
> > should rebrand TLS1.3 to something else.  Slides can be found @
> > 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_proceedings_97_slides_slides-2D&d=DwICAg&c=N0Urj2691w_G_RMcId8BFO255JhwY1mUG

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dan Brown]

I don't oppose any of the 4 given options, but I slightly prefer TLS 2.0, it 
seems simple and clear.  

In my opinion, the whole SSL vs TLS confusion needs better education to 
confront, version numbers (even dates) alone might not be enough.  Renaming 
*SSL products to *TLS should help.  Avoiding "SSL/TLS" might help.

Since others have proposed new options, how about TLS 2.017? Using the date has 
benefits, but the actual crypto changes are much more important, so the decimal 
makes that point.  An old crypto principle is that older is better (among 
equally unbroken options) -- but naming new stuff is just not enough to rid us 
of broken old stuff, so putting dates in names might not undermine this 
principle.  For future naming, on minor changes (or even pre-scheduled reviews 
with no changes), update the date part, on major changes, start from scratch 
(as in 3.2024, or even use different letters ... ).  

By the way, I'm sorry if my opinion diverges from the currently forming 
consensus.

Just my $0.02.
  
Dan

PS Just to be clear, if votes are to be tallied, my vote on this issue should 
be weighted quite low (i.e. 0, unless other votes are weighted low too, and 
some kind of tie-breaker is needed), for at least three reasons: I have not 
followed the TLS 1.3/2.0 spec closely (i.e., I had no part in building the 
shed); I have nearly zero experience dealing with user interpretation (i.e. 
marketing) of protocol names; my preference is weak. (Enough to deserve a 
negative weight, if that were not cheatable;)

PPS I've said before that I prefer TLC(rypto) to TLS(ecurity), but that's 
unlikely to fly, and it may be okay to grandfather this tradition.  (I hope 
names of future crypto protocols (that TLS WG might work on) can be more 
specific and realistic.)

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Dave Garrett
Sent: Tuesday, November 22, 2016 5:07 PM
To: tls@ietf.org
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, personally, 
I don't see a strong consensus building here. Leaving the bikeshed unpainted 
seems like the option we're headed for, at this rate. I'm fine with TLS 1.3 if 
that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the "fourth 
version of TLS" message. It makes a kind of messy sense that's kind of fitting 
for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the context 
of the title and messaging, not actually replacing the version number itself. 
I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 1.3 and 
changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the 
> major version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a 
> TLS 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner  wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG 
> > should rebrand TLS1.3 to something else.  Slides can be found @
> > https://www.ietf.org/proceedings/97/slides/slides-
> > 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and 
> > to not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm 
> > this decision on the list so please let the list know your top choice 
> > between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Anders Rundgren]

Using the YEAR as Version was created to make sure that users having old 
versions
of products that are constantly upgraded would feel the pressure to upgrade.

This idea doesn't seem equally suitable for security protocols.

TLS 4 would IMO be a logical choice since it is numerically higher than all its 
predecessors.

Anders

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dave Garrett]

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, personally, 
I don't see a strong consensus building here. Leaving the bikeshed unpainted 
seems like the option we're headed for, at this rate. I'm fine with TLS 1.3 if 
that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the "fourth 
version of TLS" message. It makes a kind of messy sense that's kind of fitting 
for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the context 
of the title and messaging, not actually replacing the version number itself. 
I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 1.3 and 
changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the major
> version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a TLS
> 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner  wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG should
> > rebrand TLS1.3 to something else.  Slides can be found @
> > https://www.ietf.org/proceedings/97/slides/slides-
> > 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> > rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> > on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Daniel Migault]

I have a small preference for TLS 1.3.

On Tue, Nov 22, 2016 at 10:04 AM, Scott Schmit  wrote:

> On Fri, Nov 18, 2016 at 11:12:48AM +0900, Sean Turner wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> I find it compelling that if we lived in an alternate universe where we
> had SSL 1996, TLS 1999, and a recently-published TLS 2006 or TLS 2008,
> there would have been a lot less inertia about switching to a later
> version.  I find is very optimistic given our history that we could
> manage two TLS versions in a year.  If that ever happened, though, we
> could do 2019.1 (as an increment) or 2019.11 (for the month).
>
> Barring that, I'd prefer TLS 4, since that gets us out of the version
> confusion swamp.  It would seem that almost nobody outside the security
> community understands the distinction between SSL and TLS; so if we call
> it TLS 4, we'll probably see it referred to as SSLv4.  And that wouldn't
> be horrible.  If we call it TLS 2 or TLS 2.0, some might refer to it as
> SSLv2.  That would obviously be very bad.
>
> While it's nice to able to look up information about TLS 1.3 drafts,
> most of that information is going to be inaccurate anyway, so I don't
> see that as a compelling reason to stick to it.  Granted, you have
> specific buzz for "TLS 1.3 is going to really improve things" but that's
> fairly easy to translate to "the new version of TLS is going to really
> improve things".
>
> The distinction between 2 vs 2.0 seems pretty minor.  SSLv2 is 2.0 and
> SSLv3 is 3.0, but few write it that way.
>
> Thus my ranked preference would be:
>
> TLS 2017 > TLS 4 > TLS 1.3 > TLS 2 or TLS 2.0
>
> But if I'm limited to a top choice from the list, then "Rebrand TLS 4"
>
> --
> Scott Schmit
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Scott Schmit]

On Fri, Nov 18, 2016 at 11:12:48AM +0900, Sean Turner wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
> 
> by 2 December 2016.

I find it compelling that if we lived in an alternate universe where we
had SSL 1996, TLS 1999, and a recently-published TLS 2006 or TLS 2008,
there would have been a lot less inertia about switching to a later
version.  I find is very optimistic given our history that we could
manage two TLS versions in a year.  If that ever happened, though, we
could do 2019.1 (as an increment) or 2019.11 (for the month).

Barring that, I'd prefer TLS 4, since that gets us out of the version
confusion swamp.  It would seem that almost nobody outside the security
community understands the distinction between SSL and TLS; so if we call
it TLS 4, we'll probably see it referred to as SSLv4.  And that wouldn't
be horrible.  If we call it TLS 2 or TLS 2.0, some might refer to it as
SSLv2.  That would obviously be very bad.

While it's nice to able to look up information about TLS 1.3 drafts,
most of that information is going to be inaccurate anyway, so I don't
see that as a compelling reason to stick to it.  Granted, you have
specific buzz for "TLS 1.3 is going to really improve things" but that's
fairly easy to translate to "the new version of TLS is going to really
improve things".

The distinction between 2 vs 2.0 seems pretty minor.  SSLv2 is 2.0 and
SSLv3 is 3.0, but few write it that way.

Thus my ranked preference would be:

TLS 2017 > TLS 4 > TLS 1.3 > TLS 2 or TLS 2.0

But if I'm limited to a top choice from the list, then "Rebrand TLS 4"

-- 
Scott Schmit


smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hugo Krawczyk]

If it wasn't because we don't need more noise in this discussion I would
have suggested SSL 5.0 which seems to be the logical conclusion from the
reasoning people are using. Clearly, everyone thinks that the battle of
replacing "SSL" with "TLS" in the popular and technical references to the
standard has been lost and there is not much hope to win it in the future.
So if the mountain won't come to  Muhammad then go back to SSL and call it
SSL 5.0 leaving SSL 4.0 as an historic parallel/re-naming of TLS 1.0. (Also
note that the two 'S' of SSL already hint to the number 5 and L is 50 in
Roman numerals.)

On a more serious note, I would keep a minor option in whatever is chosen
(e.g. 4.0). The reason is that I can see more resistance in the future to
minor revisions if such revision needs to be called TLS 5 rather than 4.1.
However, minor but crucial revisions may be needed sooner than one hopes
for and delaying them for when more changes are accumulated is not a good
thing.

Hugo
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

➢ You should be reluctant to draw too many conclusions from a field which you 
can only access by clicking through a big scary warning that you are voiding 
your warranty:

Warranty?

And sure, users never click through security warnings ☺

At any rate, this was intended to be a little light-hearted, but might have 
rubbed some folks the wrong way.  Sorry ‘bout that.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Woodhouse]

On Mon, 2016-11-21 at 19:34 +, Salz, Rich wrote:
> Do "about:config" in firefox and look for TLS:
>   security.tls.version.max default   integer  3
> 
> And then perhaps look at http://kb.mozillazine.org/Security.tls.version.* 
> (yes the star is part of the URL)
> 
> EVEN MOZILLA can't get it "right."

What's wrong with that? On a version of Firefox which supports only up
to TLSv1.2, the default setting of security.tls.version.max is 3 (i.e.
TLSv1.2). Which seems reasonable enough.

If you update to a hypothetical newer version of Firefox+NSS which
supports a newer version of TLS, presumably the default value of
security.tls.version.max will be 4, and will take effect unless you've
manually set it to any other value in your own local config.

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Richard Barnes]

On Mon, Nov 21, 2016 at 2:51 PM, Yoav Nir  wrote:

>
> > On 21 Nov 2016, at 20:43, Salz, Rich  wrote:
> >
> >
> >> With this in mind, I'm voting in favor of any re-branding of TLS 1.3
> where the
> >> protocol name remains "TLS" and major version becomes > 1.
> >
> > Me too.
>
> Agree
>

I can live with this approach, though if we go this way, I would have a
strong preference for 4, as the minimum change that gets us clear of the
SSL version numbers.

That said, I still think 1.3 is the most sensible option.  Regardless of
what we do here, we're still going to have to struggle with "N > 1.2 > 1.1
> 1.0 > 3.0" for a long time.  The only decision we've got here is which
additional exasperating conversation we want to have in the future, "Yes, N
is the one that comes after 1.2", or "Yes, 1.3 > 3.0".  Might as well stick
with the one we've been having all along anyway.

--Richard




>
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Sean Leonard]

+1 to TLS 1.3. My strong preference is TLS 1.3.

Reasons have been advanced ad-nauseam.

Just a couple of additional thoughts:
1.3 is in the protocol. So there.
"Perl 6". Just because you advance a version number to a big one, 
doesn't mean that businesses will see the justification to upgrade.


Sean

On 11/17/2016 6:12 PM, Sean Turner wrote:

At IETF 97, the chairs lead a discussion to resolve whether the WG should 
rebrand TLS1.3 to something else.  Slides can be found @ 
https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.

The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4

by 2 December 2016.

Thanks,
J&S
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls




___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Rescorla]

On Mon, Nov 21, 2016 at 11:34 AM, Salz, Rich  wrote:

> Do "about:config" in firefox and look for TLS:
> security.tls.version.max default   integer  3
>
> And then perhaps look at http://kb.mozillazine.org/Security.tls.version.*
> (yes the star is part of the URL)
>
> EVEN MOZILLA can't get it "right."
>

You should be reluctant to draw too many conclusions from a field which you
can only
access by clicking through a big scary warning that you are voiding your
warranty:

https://techjourney.net/media/2015/03/firefox-about-config-warning.png

-Ekr


>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Short, Todd]

Throwing my hat into the ring, the basic record protocol has not changed.

If anything, what is currently referred to as TLSv1.3 is really just a major 
update to the handshake messages.

If the record protocol were to change to use a sane 4-byte header (which I 
proposed many months ago), then I think that calling it TLSv4 or equivalent 
would be appropriate.

At this point, I’d prefer to keep it TLSv1.3, since I don’t consider this a 
significant update to the protocol.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Nov 21, 2016, at 2:51 PM, Yoav Nir 
mailto:ynir.i...@gmail.com>> wrote:


On 21 Nov 2016, at 20:43, Salz, Rich 
mailto:rs...@akamai.com>> wrote:


With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the
protocol name remains "TLS" and major version becomes > 1.

Me too.

Agree


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 21 Nov 2016, at 20:43, Salz, Rich  wrote:
> 
> 
>> With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where 
>> the
>> protocol name remains "TLS" and major version becomes > 1.
> 
> Me too.

Agree


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

Do "about:config" in firefox and look for TLS:
security.tls.version.max default   integer  3

And then perhaps look at http://kb.mozillazine.org/Security.tls.version.* (yes 
the star is part of the URL)

EVEN MOZILLA can't get it "right."

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[=JeffH]

In the room last week, I hummed for "TLS 4".

that said, I overall agree with Andrei's sentiment..

> I'm voting in favor of any re-branding of TLS 1.3 where the
> protocol name remains "TLS" and major version becomes > 1.

HTH,

=JeffH

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[darin . pettis]

Hello,

On Mon, Nov 21, 2016 at 9:43 PM, Salz, Rich  wrote:

> With this in mind, I'm voting in favor of any re-branding of TLS 1.3 
where the
> protocol name remains "TLS" and major version becomes > 1.

I originally hummed for 1.3 in the room as that is what people (that are 
currently aware of it) know it by.  However, as the new standard goes out 
into the world, a major revision number seems appropriate to recognize the 
significant changes that have gone into it. 

+1
Darin Pettis


U.S. BANCORP made the following annotations
-
Electronic Privacy Notice. This e-mail, and any attachments, contains 
information that is, or may be, covered by electronic communications privacy 
laws, and is also confidential and proprietary in nature. If you are not the 
intended recipient, please be advised that you are legally prohibited from 
retaining, using, copying, distributing, or otherwise disclosing this 
information in any manner. Instead, please reply to the sender that you have 
received this communication in error, and then immediately delete it. Thank you 
in advance for your cooperation.

-
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dmitry Belyavsky]

Hello,

On Mon, Nov 21, 2016 at 9:43 PM, Salz, Rich  wrote:

>
> > With this in mind, I'm voting in favor of any re-branding of TLS 1.3
> where the
> > protocol name remains "TLS" and major version becomes > 1.
>
> Me too.
>
> +1


-- 
SY, Dmitry Belyavsky
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the
> protocol name remains "TLS" and major version becomes > 1.

Me too.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Peter has some excellent points here (although I would prefer "TLS 2.0").

Perhaps the "re-branders" are losing votes and hums because we're fragmented 
into numerous camps.

With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the 
protocol name remains "TLS" and major version becomes > 1.

Cheers,

Andrei

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
Sent: Friday, November 18, 2016 6:41 PM
To: Ilari Liusvaara 
Cc:  
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Replying to several messages at once to save space:

Ilari Liusvaara:

>One can downnegotiate TLS 1.3 to TLS 1.2.

Ah, you're obviously a fan of Steve Wozniak humour.  When someone asked him 
whether it was possible to upgrade from an Apple II+ to an Apple IIe, he 
similarly said "yes, you unplug the power cable from the II+, throw it away, 
and plug the IIe into the newly-vacated power cable".

Christian Huitema:

>I prefer TLS 1.3, because is signals continuity with the ongoing TLS 
>deployment efforts.

Maybe it's just me, but wouldn't the fact that they're both called TLS sort of 
indicate that there's continuity there?

Dave Kern:

>I'm in favor of TLS 4, and ignoring the minor version number (in the 
>friendly text string, not the protocol field) moving forward.

That's actually a good point, "TLS 4" provides a single, clean number for 
people to remember.  Even a CTO or auditor should be able to get that one right 
without having to look up a table in a book to see that 1.3 > v3.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrey Jivsov]

On 11/17/2016 06:12 PM, Sean Turner wrote:

At IETF 97, the chairs lead a discussion to resolve whether the WG should 
rebrand TLS1.3 to something else.  Slides can be found @ 
https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.

The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4

by 2 December 2016.


...

TLS 4.


TLS 1.3 introduces major changes to message flow and substantial 
redesign of crypto.


I will respectfully remind that earlier this year the WG has made a 
decision to break backward compatibility with large number of devices by 
rejecting an option to extend allowed in TLS 1.3 RSA PKCS#1.5 signature 
padding scheme to all portions of the handshake. The solution was that 
these peers must keep using TLS 1.2 
https://www.ietf.org/mail-archive/web/tls/current/msg19360.html .


Changes of this magnitude are not typically associated with a "dot" 
release.


+ what other said on confusion with SSL. I don't see this one as a big 
deal, but I will go with the consensus of "4.0" v.s "2.0". "1.3" is the 
worst choice here.





___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Eric Mill  writes:

>The near-term annoyance of renaming things by folks close to the WG, and the
>chance of some confusion around the edges, seem like small issues compared to
>a positive investment in bending the sanity curve of the next 20 years of
>lazy enterprise decisions.

+1.  I was reading an article earlier today on a security web site (not a
general news site or even an IT news site but specifically a security web
site) where they mentioned that sensitive traffic wasn't SSL-protected.  Even
the security people are still calling it SSL.  So if you number it "4" or
"2017" it doesn't matter whether it's SSL or TLS, it's obvious that it's a
newer version than anything else out there.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Nov 20, 2016, at 7:56 PM, D. J. Bernstein  wrote:
> 
> Of course people who prioritize retaining the existing "TLS 1.3"
> mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
> they'll get over it within a few years. :-)

This worked well enough for IDNA2003 and IDNA2008 (the latter was
finally published in 2010, and even that is not a problem).

So I can get behind TLS 2017.  I had even considered suggesting it,
but did not at the time want to add more options to the mix.

I think the risk of two TLS standards published in a single year
is vanishingly low.  And see no problems with "gaps" in the numbers.

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Mark Nottingham]

I give the chairs my full support for whatever colour they wish to paint this 
bikeshed.


> On 18 Nov. 2016, at 1:12 pm, Sean Turner  wrote:
> 
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
> 
> by 2 December 2016.
> 
> Thanks,
> J&S
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

--
Mark Nottingham   https://www.mnot.net/

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Xiaoyin Liu]

+1 for “TLS 2017” for all the four reasons given in the proposal.



My overall preference is TLS 2017 > TLS 4 > TLS 2 or 2.0 > TLS 1.3.



Best,

Xiaoyin



From: D. J. Bernstein<mailto:d...@cr.yp.to>
Sent: Sunday, November 20, 2016 7:56 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*



The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

   * it shares the fundamental advantage that led to the "TLS 4" idea;
   * it has the additional advantage of making the age obvious;
   * it eliminates the "4 sounds too much like 3" complaint; and
   * it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)

---Dan

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Bill Frantz]

On 11/21/16 at 4:56 PM, d...@cr.yp.to (D. J. Bernstein) wrote:


The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

* it shares the fundamental advantage that led to the "TLS 4" idea;
* it has the additional advantage of making the age obvious;
* it eliminates the "4 sounds too much like 3" complaint; and
* it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)


The Ecmascript standards body, TC39 has moved to year === 
version. It seems to work well for them.


I don't think that using a year means that there will be a new 
standard every year.


In the unlikely event that there is a standard bug bad enough to 
need a second standard in one year, decimal version(s) could be 
used e.g 2017.1.  It would be understandable and act as 
punishment for us who screwed up.


Cheers - Bill

---
Bill Frantz| Concurrency is hard. 12 out  | Periwinkle
(408)356-8506  | 10 programmers get it wrong. | 16345 
Englewood Ave
www.pwpconsult.com |- Jeff Frantz | Los Gatos, 
CA 95032


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Mill]

On Sun, Nov 20, 2016 at 2:17 PM, Filippo Valsorda  wrote:

> I'm definitely for 1.3.
>
> I get where 4 is coming from, but 1.2 is not going anywhere soon, and we
> spent the last 10 years training people that the high-numbered one is
> bad, and that the 1.x ones are cool.
>
> I really don't want to have the following conversation, with the exact
> same people the proponents of 4 are trying to help:
>
> "You only support 1.2, you should support 4"
> "Oh, wasn't it that weird other way around where the high one was
> broken?"
> "Ah, no, 4 is the latest and greatest"
> "Oh, ok, then I should support only 4 and 3?"
> "Nono, 3 is terribly broken."
> "Oh, so only 4? Do all clients support it?"
> "Uh, you should keep 1.2"
> "Ah, so 1.2 is better than 3 but worse than 4?"
> "Yeah... I'm sorry"
>
> "4 is great, 3 is bad, 1.2 is good" is harder than "3 is bad, 1.2 is
> good" was, and harder than "3 is bad, 1.2 is good, 1.3 is great" would
> be.
>

While this conversation might not be impossible, I think it's an unlikely
hypothetical. A change to TLS 4 wouldn't be to address confusion for those
who have already internalized the weird version history (which is mostly
people like us on-list), but for people who only think about TLS/SSL when
they're forced to think about it, once every year or few.

For those people, the real conversations I've had were based on superficial
glances and hazy memories of the protocol history that are reconstituted
every time the subject comes up. Naming it TLS 4 wouldn't fix it for
everyone, but it would be all-upside for some -- as well as providing a
helpful opportunity to drop the faux-minor version number and simplify the
numbering overall in the long term.

The near-term annoyance of renaming things by folks close to the WG, and
the chance of some confusion around the edges, seem like small issues
compared to a positive investment in bending the sanity curve of the next
20 years of lazy enterprise decisions.

-- Eric


>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
konklone.com | @konklone 
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Rescorla]

I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the major
version number we should abandon the minor one).
TLS 2017 strikes me as quite bad; we're certainly not planning to do a TLS
2018. I am strongly opposed to TLS 2017.

-Ekr


On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner  wrote:

> At IETF 97, the chairs lead a discussion to resolve whether the WG should
> rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.
>
> Thanks,
> J&S
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[D. J. Bernstein]

The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

   * it shares the fundamental advantage that led to the "TLS 4" idea;
   * it has the additional advantage of making the age obvious;
   * it eliminates the "4 sounds too much like 3" complaint; and
   * it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)

---Dan

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Filippo Valsorda]

I'm definitely for 1.3.

I get where 4 is coming from, but 1.2 is not going anywhere soon, and we
spent the last 10 years training people that the high-numbered one is
bad, and that the 1.x ones are cool.

I really don't want to have the following conversation, with the exact
same people the proponents of 4 are trying to help:

"You only support 1.2, you should support 4"
"Oh, wasn't it that weird other way around where the high one was
broken?"
"Ah, no, 4 is the latest and greatest"
"Oh, ok, then I should support only 4 and 3?"
"Nono, 3 is terribly broken."
"Oh, so only 4? Do all clients support it?"
"Uh, you should keep 1.2"
"Ah, so 1.2 is better than 3 but worse than 4?"
"Yeah... I'm sorry"

"4 is great, 3 is bad, 1.2 is good" is harder than "3 is bad, 1.2 is
good" was, and harder than "3 is bad, 1.2 is good, 1.3 is great" would
be.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Watson Ladd]

Rebrand 4. There is no reason not to.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Judson Wilson]

What Jeff said makes a ton of sense to me.

"TLS 2017" would solve the problems that "TLS 4 solves," without being
confusing, and with the added benefit that the age is painfully obvious.  I
see big wins all around.

The downsides I see are that there is no major/minor distinction, and it
would be hard to have 2 versions in a year - but I think both are small
issues.

On Sat, Nov 19, 2016 at 3:32 AM, Jeffrey Walton  wrote:

> On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> Please forgive my ignorance...
>
> Who are you targeting for the versioning scheme? Regular users? Mom
> and pop shops with a web presence? Tech guys and gals? Security folks?
>
> For most tech people and security folks, I don't think it matters
> much. However, how many regular users would have clung to SSLv3 and
> TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
> TLS 1999 (given TLS 2008 or TLS 2010 was available)?
>
> (Sorry to violate the Hum restriction).
>
> Jeff
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Steven Valdez]

Maintaining my hum from the meeting, I prefer keeping TLS 1.3 over
renaming, primarily because there's now a good amount of
documentation/implementation in the wild that refers to TLS 1.3, and we'll
need to keep around the new equivalence of TLS 2 (or 4)=TLS 1.3.


On Sat, Nov 19, 2016, 8:31 AM Ira McDonald  wrote:

> Hi,
>
> I think that the presumption that most tech people (or even security
> people)
> won't have any trouble with the future version numbering of TLS is wrong.
>
> Yesterday morning, on an SAE Vehicle Electrical Systems Security call with
> some 40 auto security professionals present, I mentioned that TLS 1.3 was
> wrapping up and was asked "What's TLS?"  Usual explanation about SSL
> being succeeded by IETF TLS 17 years ago.  Several responses that were
> the equivalent of blank stares.  And finally, "Then why is the library
> still
> called OpenSSL?"
>
> Rich has highlighted that the tech community goes right on conflating SSL
> with TLS on web sites.
>
> I change my two cents to "TLS 4" but am unsure about "4" or "4.0" because
> the tech community has been trained to care about major.minor.
>
> Cheers,
> - Ira
>
>
> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic
> http://sites.google.com/site/highnorthinc
> mailto: blueroofmu...@gmail.com
> Jan-April: 579 Park Place  Saline, MI  48176  734-944-0094
> May-Dec: PO Box 221  Grand Marais, MI 49839  906-494-2434
>
>
> On Sat, Nov 19, 2016 at 6:32 AM, Jeffrey Walton 
> wrote:
>
> On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
> .
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> Please forgive my ignorance...
>
> Who are you targeting for the versioning scheme? Regular users? Mom
> and pop shops with a web presence? Tech guys and gals? Security folks?
>
> For most tech people and security folks, I don't think it matters
> much. However, how many regular users would have clung to SSLv3 and
> TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
> TLS 1999 (given TLS 2008 or TLS 2010 was available)?
>
> (Sorry to violate the Hum restriction).
>
> Jeff
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Vlad Krasnov]

 "Then why is the library still
> called OpenSSL?"

All those arguments show basic confusion of what TLS is. Version numbers won't 
help solve that. 

Only going back to using the SSL name might.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ira McDonald]

Hi,

I think that the presumption that most tech people (or even security people)
won't have any trouble with the future version numbering of TLS is wrong.

Yesterday morning, on an SAE Vehicle Electrical Systems Security call with
some 40 auto security professionals present, I mentioned that TLS 1.3 was
wrapping up and was asked "What's TLS?"  Usual explanation about SSL
being succeeded by IETF TLS 17 years ago.  Several responses that were
the equivalent of blank stares.  And finally, "Then why is the library still
called OpenSSL?"

Rich has highlighted that the tech community goes right on conflating SSL
with TLS on web sites.

I change my two cents to "TLS 4" but am unsure about "4" or "4.0" because
the tech community has been trained to care about major.minor.

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmu...@gmail.com
Jan-April: 579 Park Place  Saline, MI  48176  734-944-0094
May-Dec: PO Box 221  Grand Marais, MI 49839  906-494-2434


On Sat, Nov 19, 2016 at 6:32 AM, Jeffrey Walton  wrote:

> On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> Please forgive my ignorance...
>
> Who are you targeting for the versioning scheme? Regular users? Mom
> and pop shops with a web presence? Tech guys and gals? Security folks?
>
> For most tech people and security folks, I don't think it matters
> much. However, how many regular users would have clung to SSLv3 and
> TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
> TLS 1999 (given TLS 2008 or TLS 2010 was available)?
>
> (Sorry to violate the Hum restriction).
>
> Jeff
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Ilari Liusvaara  writes:

>Nope, I was referring to the very technical property that if client sends a
>TLS 1.3 handshake, a TLS 1.2 server can still successfully interop, provoded
>that the client does TLS 1.2 too

That's like saying that PGP and S/MIME are compatible because if a client
sends a PGP message, a MIME-enabled server can still successfully interop
provided the S/MIME server does PGP too.

Anyway, it's a silly debate (as my Wozniak joke tried to point out), so I'll 
bow 
out now.

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Viktor Dukhovni  writes:

>If a majority of the WG prefers the status quo because 3 is a Gaussian prime,
>and 4 is bad karma in China

Just as long as we don't end up going for version .

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

On Sat, Nov 19, 2016 at 01:35:41AM -0500, Victor Vasiliev wrote:

> TLS 4 is a confusing name that, as far as I can tell, cannot actually make
> things better.  Right now we have:
> 
> SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 (1)
> 
> Now, some people may get confused by this because of the "SSL is TLS"
> idea, but once you learn that in reality "SSL is a thing that was before
> TLS", it does make sense and seem fairly straightforward (a series of
> numbers under one name, followed by another series of numbers under the
> new name).

This feels like a contrived and speculative argument, backed by no
evidence.  There is on the other hand actual user confusion with
the current numbers.  

We should not rationalize personal preferences with plausible, and
yet non-factual arguments.  It is fine to just state a preference.
If a majority of the WG prefers the status quo because 3 is a
Gaussian prime, and 4 is bad karma in China (*), then that's
sufficient, the reasons don't actually have to be rational.

-- 
Viktor.

(*) Some decades back, shortly before the hand-over of Hong-Kong
to China, there was a property boomlet in Melbourne, and IIRC some
streets sprouted houses numbered 3+1/2...

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Jeffrey Walton]

On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.

Please forgive my ignorance...

Who are you targeting for the versioning scheme? Regular users? Mom
and pop shops with a web presence? Tech guys and gals? Security folks?

For most tech people and security folks, I don't think it matters
much. However, how many regular users would have clung to SSLv3 and
TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
TLS 1999 (given TLS 2008 or TLS 2010 was available)?

(Sorry to violate the Hum restriction).

Jeff

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Anders Rundgren]

On 2016-11-19 07:35, Victor Vasiliev wrote:

On Fri, Nov 18, 2016 at 9:30 PM, Kazuho Oku mailto:kazuho...@gmail.com>> wrote:

I oppose to going to TLS 4, due to the following reasons:

* it might give people false notion that  SSL 2.0, 3.0 is superior to TLS 
1.0-1.2
* if name the new protocol TLS 1.3, 2.0, or 2, then there would be no 
confusion once SSL goes away. However, if we name the new version TLS 4, then 
people would (for upcoming tens of years) continue to ask where TLS 2 and TLS 3.


Windows 9 never made it to the public.  Hardly nobody complained.

If the TLS protocol you are working on is "Brand New" or is just an "Incremental 
Upgrade"
is more a matter of personal opinion than an absolute truth.  It is definitely a 
"Major Overhaul"
since every little bit of the protocol has been reviewed thoroughly.

TLS 4 seems OK to me.

Anders




I very much agree with those points.

TLS 4 is a confusing name that, as far as I can tell, cannot actually make
things better.  Right now we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3  (1)

Now, some people may get confused by this because of the "SSL is TLS" idea, but
once you learn that in reality "SSL is a thing that was before TLS", it does
make sense and seem fairly straightforward (a series of numbers under one name,
followed by another series of numbers under the new name).

With TLS 4, we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 4(2)

This does has a nice property of indicating that TLS 4 is clearly the latest
version (as long as you know that SSL came before TLS), but omission of TLS 2
and TLS 3 will leave people confused, and most likely lead them to conclude
that what happened is TLS was renamed to SSL and then back again, so that

TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> SSL 2 -> SSL 3 -> TLS 4.   (3)

But this is not even the worst of the problems.

The real problem is that we can't actually rename TLS 1.3, because at the end
we will merely create a new name for it.  It has already been TLS 1.3 for a few
years, it has been discussed in the tech community as TLS 1.3, researchers have
published papers about TLS 1.3, there's probably already the marketing material
with TLS 1.3 out there.  The code that refers to it as TLS 1.3 will probably
end up being referring to it as 1.3 for approximately forever, even if all the
implementers had been enthusiastic about renaming it, because refactoring is
high-cost and low-priority, and may not be even possible if you've already
exposed it via the ABI.  The old name will never die, and it will be a burden
to anyone in this community, making confusing versioning scheme even more
confusing.  It will probably leak outside of it too, and instead of (2), we
will end up getting

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 = TLS 4  (4)

which seems strictly more confusing than (1) in any way.

tl;dr: the only way to minimze confusion at this point is to not change
anything.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls



___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Victor Vasiliev]

On Fri, Nov 18, 2016 at 9:30 PM, Kazuho Oku  wrote:

> I oppose to going to TLS 4, due to the following reasons:
>
> * it might give people false notion that  SSL 2.0, 3.0 is superior to TLS
> 1.0-1.2
> * if name the new protocol TLS 1.3, 2.0, or 2, then there would be no
> confusion once SSL goes away. However, if we name the new version TLS 4,
> then people would (for upcoming tens of years) continue to ask where TLS 2
> and TLS 3.
>
>
I very much agree with those points.

TLS 4 is a confusing name that, as far as I can tell, cannot actually make
things better.  Right now we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3
 (1)

Now, some people may get confused by this because of the "SSL is TLS" idea,
but
once you learn that in reality "SSL is a thing that was before TLS", it does
make sense and seem fairly straightforward (a series of numbers under one
name,
followed by another series of numbers under the new name).

With TLS 4, we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 4
 (2)

This does has a nice property of indicating that TLS 4 is clearly the latest
version (as long as you know that SSL came before TLS), but omission of TLS
2
and TLS 3 will leave people confused, and most likely lead them to conclude
that what happened is TLS was renamed to SSL and then back again, so that

TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> SSL 2 -> SSL 3 -> TLS 4.
(3)

But this is not even the worst of the problems.

The real problem is that we can't actually rename TLS 1.3, because at the
end
we will merely create a new name for it.  It has already been TLS 1.3 for a
few
years, it has been discussed in the tech community as TLS 1.3, researchers
have
published papers about TLS 1.3, there's probably already the marketing
material
with TLS 1.3 out there.  The code that refers to it as TLS 1.3 will probably
end up being referring to it as 1.3 for approximately forever, even if all
the
implementers had been enthusiastic about renaming it, because refactoring is
high-cost and low-priority, and may not be even possible if you've already
exposed it via the ABI.  The old name will never die, and it will be a
burden
to anyone in this community, making confusing versioning scheme even more
confusing.  It will probably leak outside of it too, and instead of (2), we
will end up getting

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 = TLS 4
 (4)

which seems strictly more confusing than (1) in any way.

tl;dr: the only way to minimze confusion at this point is to not change
anything.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls