Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Joseph Salowey]

Thanks to all those that participated in the list discussion, it was a very
popular topic.  On the list and in the meeting, TLS 1.3 had more support
than any other option so we believe there is rough consensus to leave the
name of the protocol as TLS 1.3.

Thanks,

J

On Sat, Dec 3, 2016 at 10:15 PM, Mohan Sekar <mohan.se...@edgeverve.com>
wrote:

> +1 on Tony comment
>
>
>
> - Keep this version TLS 1.3
>
> - For the next version of TLS, drop the 1.x and call it TLS 4
>
>
>
> Mohan Sekar
>
>
>
> *From:* TLS [mailto:tls-boun...@ietf.org] *On Behalf Of *Tony Arcieri
> *Sent:* Saturday, December 3, 2016 9:04 AM
> *To:* Sean Turner <s...@sn3rd.com>
> *Cc:* <tls@ietf.org> <tls@ietf.org>
> *Subject:* Re: [TLS] Confirming consensus: TLS1.3->TLS*
>
>
>
> On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner <s...@sn3rd.com> wrote:
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.
>
>
>
> I guess we're at the deadline, but I have a compromise I think makes sense:
>
>
>
> - Keep this version TLS 1.3
>
> - For the next version of TLS, drop the 1.x and call it TLS 4
>
>
>
> --
>
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Karthik Bhargavan]

>
> The wire format is one thing, but there is work that has been done at a
> much higher level referencing "TLS 1.3", e.g. TRON work:
>
> http://prosecco.gforge.inria.fr/personal/karthik/pubs/
> proscript-tls-tron-2016.pdf
>


Thanks for the reference but this draft paper does not count as a
publication. Yes, there are other published papers that have appeared
during the last year that use the name TLS 1.3, but I think academics will
keep out of this (re)naming debate because it does not matter so much for
us. We are already citing draft versions in our papers, because a proof for
draft 10 does not carry over to draft 18. When the RFC comes out, we'll
start consistently citing the published protocol, whatever it is called.

Again, I'll keep out of the protocol name discussion, but I don't think the
name will add too much confusion for academic works, or put another way, it
will not reduce the confusion which already exists between various draft
versions and the final RFC.


>
>
>> The volume of work that will be published in the hopefully 18 or more
>> years that this draft is in deployment will dwarf the current body of
>> work.  If it doesn't, then we will have completely failed.
>
>
> While more security analysis against whatever-the-new-TLS-is-called will
> certainly happen, I would imagine it would be split against
> whatever-the-next-TLS-version-is-called. And the thing is, a lot of the
> extant research about "TLS 1.3" is fantastic, so much so that I think it
> will be routinely cited. Certainly there will be new research, but much of
> the groundwork has already been laid.
>
> From what I can tell, the main argument for changing the version is to
> *reduce confusion*. I am incredibly unconvinced rebranding TLS 1.3 to TLS
> 4/2017/9000 will actually accomplish the intended goal.
>
> A recent example of what sort of confusion I could see arise: ECMAScript.
> They moved from a numbered branding (ES6/ES7) to a year-based branding
> (ES2016/ES2017). People continue to use both, so now you have to maintain a
> mental mapping of which-version-to-which-year.
>
> The optimal solution to me as far as reducing these sort of mental
> gymnastics goes is to keep the version as "TLS 1.3" and drop the 1.x in the
> next release. This gets the "TLS 4" advocates what they want, just not
> right away, without renaming the current release at the last minute.
>
> --
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Fri, Dec 2, 2016 at 7:57 PM, Scott Schmit  wrote:

> This draft has been in development since April 2014, 2.6 years ago.
> Over that time, the wire protocol has changed multiple times and
> incompatibly.  So not even all of that 2.6 years of details is still
> applicable to the protocol we're going to publish as an RFC.  So why
> would mixing up searched for the final protocol with the draft versions
> be a good thing?
>

The wire format is one thing, but there is work that has been done at a
much higher level referencing "TLS 1.3", e.g. TRON work:

http://prosecco.gforge.inria.fr/personal/karthik/pubs/proscript-tls-tron-2016.pdf


> The volume of work that will be published in the hopefully 18 or more
> years that this draft is in deployment will dwarf the current body of
> work.  If it doesn't, then we will have completely failed.


While more security analysis against whatever-the-new-TLS-is-called will
certainly happen, I would imagine it would be split against
whatever-the-next-TLS-version-is-called. And the thing is, a lot of the
extant research about "TLS 1.3" is fantastic, so much so that I think it
will be routinely cited. Certainly there will be new research, but much of
the groundwork has already been laid.

>From what I can tell, the main argument for changing the version is to
*reduce confusion*. I am incredibly unconvinced rebranding TLS 1.3 to TLS
4/2017/9000 will actually accomplish the intended goal.

A recent example of what sort of confusion I could see arise: ECMAScript.
They moved from a numbered branding (ES6/ES7) to a year-based branding
(ES2016/ES2017). People continue to use both, so now you have to maintain a
mental mapping of which-version-to-which-year.

The optimal solution to me as far as reducing these sort of mental
gymnastics goes is to keep the version as "TLS 1.3" and drop the 1.x in the
next release. This gets the "TLS 4" advocates what they want, just not
right away, without renaming the current release at the last minute.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Dec 2, 2016, at 10:34 PM, Tony Arcieri  wrote:
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
> 
> by 2 December 2016.
> 
> I guess we're at the deadline, but I have a compromise I think makes sense:
> 
> - Keep this version TLS 1.3
> - For the next version of TLS, drop the 1.x and call it TLS 4 

That "next version", will perhaps be the one after the QC crypto-apocalypse...

More seriously I don't expect another TLS version after this for a decade
or so.  The adoption cycle is so long, it makes little sense to rev the
protocol with any frequency.  So get it right now, near-term revisions
seem unlikely.

So I see your proposal as not a compromise, but rather as staying with
the status quo, for better or worse and for quite some time...

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner  wrote:

> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.


I guess we're at the deadline, but I have a compromise I think makes sense:

- Keep this version TLS 1.3
- For the next version of TLS, drop the 1.x and call it TLS 4

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Fri, Dec 2, 2016 at 1:21 PM, Peter Gutmann 
wrote:

> The change was proposed long ago, and deferred by the chairs until now.
> This
> is just another variant of the inertia argument.


You keep dismissing this argument out of hand, but I think it has merit.

I think we can all admit the decision to rename SSL -> TLS is a mistake (to
the point people are proposing to retroactively re-rename TLS back to SSL).

There is now a huge body of work which calls the protocol "TLS 1.3" which
will be cited for years to come. You wrote this whole body of work off as
the concern of "TLS WG and a small number of people who interact with it"
as if a move to a different version number comes at zero cost almost as if
this work doesn't matter, but I have a different view: this is one more bit
of errata in exactly the same vein as the SSL -> TLS move which anyone
consulting this body of work will have to contend with.

You will no doubt disagree, so I'm simply saying it for posterity: keeping
the version TLS 1.3 is the least confusing option, IMO.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Viktor Dukhovni  writes:

>I was with you up to this point, but I do think that going back to SSL is not
>a good idea, and takes us off topic.

It was just something to throw out there, and to point out that no matter what
the WG calls it, the rest of the world will keep calling it SSL.  It's been
twenty years, it's not going to change any more now.

>Opening it up even wider seems like a sure way to get nowhere (which is
>likely status quo TLS 1.3).

Yeah, fair enough.  It would be nice to finally fix a 20-year-old mistake 
though.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Maarten Bodewes  writes:

>The point is we are now indeed on draft 18. Changing the name now is very
>problematic because everybody on the mailinglist already calls it TLS 1.3,
>for a long time and no matter what you do, a lot of us (who are hopefully the
>experts) will keep referring to it under that name.

The change was proposed long ago, and deferred by the chairs until now.  This
is just another variant of the inertia argument.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

On Dec 2, 2016, at 4:10 PM, Peter Gutmann  wrote:
> Ugh, how very geeky,

Really?

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Hubert Kario  writes:

>speaking of confusion, do you know that e-mail clients by "SSL" mean
>"SSL/TLS" and by "TLS" mean "STARTTLS"? (note the port numbers)
>https://sils.unc.edu/it-services/email-faq/outlook
>https://mail.aegee.org/smtp/kmail.html
>https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird

Ugh, how very geeky, all the charm of fetchmail with a GUI bolted on.  The
fact that security geeks suck at UX isn't really proof of anything (other than
that you need to let interaction designers do your UX, not security people).

With Apple Mail, all you have to do is click on "Use Secure Sockets Layer" and
you're done (note the name).  With the Android mailer I use it's not even
that, it's autoconfigured, just point it at your email domain and give a
username and password.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Patrick McManus]

I favor naming the result tls 1.3 - the X in 1.X has effectively become the
modern versioning field and we should stick with that road now as the best
of a bunch of weak options.

-Patrick
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Michael D'Errico]

Aaron Zauner wrote:


(of course I'd opt for SSLv5 just to mess with people).


I'm surprised nobody has yet suggested retroactive renaming:

SSLv4  ==  TLS 1.0
SSLv5  ==  TLS 1.1
SSLv6  ==  TLS 1.2
SSLv7  ==  TLS 1.3

Mike

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Aaron Zauner]

* Sean Turner  [18/11/2016 03:13:23] wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3

Please let's keep it to TLS 1.3 which we have been talking about for
a couple of years now, no-one expects a protocol from this WG with a
different name (of course I'd opt for SSLv5 just to mess with people).

Aaron


signature.asc
Description: Digital signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> after considering all of the good points that have been circulating, I would 
> like to change my vote 


Woah, are you new here? :)

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> Can’t we borrow one from tictoc?

Ever since they merged with NTP, it seems to be lost in a time loop and nobody 
can find it.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ackermann, Michael]

+2
On removing all  references to SSL.


From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of darin.pet...@usbank.com
Sent: Friday, December 2, 2016 1:55 PM
To: Andrei Popov <andrei.po...@microsoft.com>
Cc: TLS <tls-boun...@ietf.org>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

+1 with Andrei.

"That SSL should never be used" is the one clear message we have so going back 
to SSL would muddy those waters too much.  Strong vote for staying with TLS.  
It will become better known over time- especially with the current enterprise 
push to deprecate all SSL versions from use.
Regarding the numbering schema, someone recently mentioned that probably only a 
few hundred of us are aware of the TLS 1.3 nomenclature at this point and I 
would concur with that.  So, after considering all of the good points that have 
been circulating, I would like to change my vote to TLS 2017.  It provides 
clarity, recognizes that it is a major change and pulls us out of the whole 
SSL/TLS numbering confusion/quagmire.

Darin



From:Andrei Popov 
<andrei.po...@microsoft.com<mailto:andrei.po...@microsoft.com>>
To:Daniel Kahn Gillmor 
<d...@fifthhorseman.net<mailto:d...@fifthhorseman.net>>, Peter Gutmann 
<pgut...@cs.auckland.ac.nz<mailto:pgut...@cs.auckland.ac.nz>>, Stephen Farrell 
<stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>>, David Benjamin 
<david...@chromium.org<mailto:david...@chromium.org>>, Tony Arcieri 
<basc...@gmail.com<mailto:basc...@gmail.com>>, 
"<tls@ietf.org<mailto:tls@ietf.org>>" <tls@ietf.org<mailto:tls@ietf.org>>
Date:12/02/2016 12:34 PM
Subject:Re: [TLS] Confirming consensus: TLS1.3->TLS*
Sent by:"TLS" <tls-boun...@ietf.org<mailto:tls-boun...@ietf.org>>




Indeed, "all known versions of SSL are broken and should never be used" is what 
I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann 
<pgut...@cs.auckland.ac.nz<mailto:pgut...@cs.auckland.ac.nz>>; Stephen Farrell 
<stephen.farr...@cs.tcd.ie<mailto:stephen.farr...@cs.tcd.ie>>; David Benjamin 
<david...@chromium.org<mailto:david...@chromium.org>>; Tony Arcieri 
<basc...@gmail.com<mailto:basc...@gmail.com>>; 
<tls@ietf.org<mailto:tls@ietf.org>> <tls@ietf.org<mailto:tls@ietf.org>>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of things, 
not only TLS.  Yesterday i got an e-mail from a reputable CA reseller that said 
"Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate format to 
"SSL" just because vendors whose business models revolve around these products 
are confused about terminology.  What else should we rename to "SSL" on that 
basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to turn 
off SSLv3: all known versions of SSL are broken and should never be used.  
Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of TLS 
1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* confusion 
by bikeshedding over the name itself?

  --dkg

___
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls




U.S. BANCORP made the following annotations
-
Electronic Privacy Notice. This e-mail, and any attachments, contains 
information that is, or may be, covered by electronic communications privacy 
laws, and is also confidential and proprietary in nature. If you are not the 
intended recipient, please be advised that you are legally prohibited from 
retaining, using, copying, distributing, or otherwise disclosing this 
information in any manner. Instead, please reply to the sender that you have 
received this communication in error, and then immediately delete it. Thank you 
in advance for your cooperation.

-


The information contained in this communication is highly confidential and is 
intended solely for the use of the individual(s) to whom this communication is 
directed. If

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Dec 2, 2016, at 3:33 AM, Peter Gutmann  wrote:
> 
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?

I was with you up to this point, but I do think that going back to SSL is
not a good idea, and takes us off topic.

Is there any glimmer of rough consensus on:

 * TLS 1.3 vs.
 * TLS 4   vs.
 * TLS 2017 vs.
 * TLS 2.0?

Opening it up even wider seems like a sure way to get nowhere (which is
likely status quo TLS 1.3).

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[darin . pettis]

+1 with Andrei. 

"That SSL should never be used" is the one clear message we have so going 
back to SSL would muddy those waters too much.  Strong vote for staying 
with TLS.  It will become better known over time- especially with the 
current enterprise push to deprecate all SSL versions from use. 
Regarding the numbering schema, someone recently mentioned that probably 
only a few hundred of us are aware of the TLS 1.3 nomenclature at this 
point and I would concur with that.  So, after considering all of the good 
points that have been circulating, I would like to change my vote to TLS 
2017.  It provides clarity, recognizes that it is a major change and pulls 
us out of the whole SSL/TLS numbering confusion/quagmire.

Darin



From:   Andrei Popov <andrei.po...@microsoft.com>
To: Daniel Kahn Gillmor <d...@fifthhorseman.net>, Peter Gutmann 
<pgut...@cs.auckland.ac.nz>, Stephen Farrell <stephen.farr...@cs.tcd.ie>, 
David Benjamin <david...@chromium.org>, Tony Arcieri <basc...@gmail.com>, 
"<tls@ietf.org>" <tls@ietf.org>
Date:   12/02/2016 12:34 PM
Subject:Re: [TLS] Confirming consensus: TLS1.3->TLS*
Sent by:"TLS" <tls-boun...@ietf.org>



Indeed, "all known versions of SSL are broken and should never be used" is 
what I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Stephen Farrell 
<stephen.farr...@cs.tcd.ie>; David Benjamin <david...@chromium.org>; Tony 
Arcieri <basc...@gmail.com>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it 
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of 
things, not only TLS.  Yesterday i got an e-mail from a reputable CA 
reseller that said "Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate 
format to "SSL" just because vendors whose business models revolve around 
these products are confused about terminology.  What else should we rename 
to "SSL" on that basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to 
turn off SSLv3: all known versions of SSL are broken and should never be 
used.  Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of 
TLS 1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* 
confusion by bikeshedding over the name itself?

   --dkg

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls




U.S. BANCORP made the following annotations
-
Electronic Privacy Notice. This e-mail, and any attachments, contains 
information that is, or may be, covered by electronic communications privacy 
laws, and is also confidential and proprietary in nature. If you are not the 
intended recipient, please be advised that you are legally prohibited from 
retaining, using, copying, distributing, or otherwise disclosing this 
information in any manner. Instead, please reply to the sender that you have 
received this communication in error, and then immediately delete it. Thank you 
in advance for your cooperation.

-
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Indeed, "all known versions of SSL are broken and should never be used" is what 
I've been telling people for a while now...

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Stephen Farrell 
<stephen.farr...@cs.tcd.ie>; David Benjamin <david...@chromium.org>; Tony 
Arcieri <basc...@gmail.com>; <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it 
> back to what it's always been for everyone but us, SSL?

fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of things, 
not only TLS.  Yesterday i got an e-mail from a reputable CA reseller that said 
"Your SSL is expiring in two days!  Buy a new SSL now!"

Surely no one is proposing that we also re-name the X.509 certificate format to 
"SSL" just because vendors whose business models revolve around these products 
are confused about terminology.  What else should we rename to "SSL" on that 
basis?  Maybe a load-balancer is also "SSL"!

Here's a useful and effective meme for convincing bosses that it's ok to turn 
off SSLv3: all known versions of SSL are broken and should never be used.  
Please do not break this meme by trying to rename TLS to SSL.

I don't care about the bikeshed over the number: i'd be fine with any of TLS 
1.3 or TLS 4 or TLS 2017.  But can we please not create *even more* confusion 
by bikeshedding over the name itself?

   --dkg

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 2 Dec 2016, at 19:58, David Benjamin  wrote:
> 
> (To clarify, I was not at all suggesting we go back to SSL. If we had a time 
> machine, I might make other suggestions, but as far as I know we do not.)

Can’t we borrow one from tictoc?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Benjamin]

(To clarify, I was not at all suggesting we go back to SSL. If we had a
time machine, I might make other suggestions, but as far as I know we do
not.)

On Fri, Dec 2, 2016 at 12:45 PM Andrei Popov <andrei.po...@microsoft.com>
wrote:

> Not that I can speak for the whole of Microsoft, but I would not drop TLS
> support in Windows if it were renamed "SSL":).
>
> However, "transport layer security" makes a lot more sense to me than
> "secure sockets layer" because the latter seems to imply network
> socket-style API, which is not a requirement of this protocol.
>
> Cheers,
>
> Andrei
>
> -Original Message-
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
> Sent: Friday, December 2, 2016 12:33 AM
> To: Stephen Farrell <stephen.farr...@cs.tcd.ie>; David Benjamin <
> david...@chromium.org>; Tony Arcieri <basc...@gmail.com>; <tls@ietf.org> <
> tls@ietf.org>
> Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*
>
> Stephen Farrell <stephen.farr...@cs.tcd.ie> writes:
>
> >IIRC that was sort-of a condition for adoption of the work in the IETF
> >20 years ago, when there were two different protocols already being
> >deployed and the proponents of one of them said "we'll use that other
> >one (SSL) but you gotta change the name of the standard or we can't get
> >our  to agree to change to all use the same thing."
>
> It was Netscape with SSL vs. Microsoft with PCT.
>
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?
>
> Peter.
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Not that I can speak for the whole of Microsoft, but I would not drop TLS 
support in Windows if it were renamed "SSL":).

However, "transport layer security" makes a lot more sense to me than "secure 
sockets layer" because the latter seems to imply network socket-style API, 
which is not a requirement of this protocol.

Cheers,

Andrei

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
Sent: Friday, December 2, 2016 12:33 AM
To: Stephen Farrell <stephen.farr...@cs.tcd.ie>; David Benjamin 
<david...@chromium.org>; Tony Arcieri <basc...@gmail.com>; <tls@ietf.org> 
<tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Stephen Farrell <stephen.farr...@cs.tcd.ie> writes:

>IIRC that was sort-of a condition for adoption of the work in the IETF 
>20 years ago, when there were two different protocols already being 
>deployed and the proponents of one of them said "we'll use that other 
>one (SSL) but you gotta change the name of the standard or we can't get 
>our  to agree to change to all use the same thing."

It was Netscape with SSL vs. Microsoft with PCT.

If no-one from Microsoft has any objections, can we just rename it back to what 
it's always been for everyone but us, SSL?

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 16:12:05 CET Salz, Rich wrote:
> > Here's a useful and effective meme for convincing bosses that it's ok to
> > turn off SSLv3: all known versions of SSL are broken and should never be
> > used. Please do not break this meme by trying to rename TLS to SSL.
> 
> Is "all known versions before SSL 4" that much worse?

given:
1. we have people that need support for SSLv3 and SSLv2 style Client Hello 
messages (The Web is not the only place where SSL/TLS is deployed), let alone 
TLS 1.0
2. TLS 1.2 is not broken (so the statement is demonstrably false)

yes, it is much worse

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Rob Stradling]

On 02/12/16 14:53, Thomas Pornin wrote:


Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates".


It's worse than that.  Many customers, and even some salespeople, seem 
to think that we sell "SSLs".


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> Here's a useful and effective meme for convincing bosses that it's ok to turn
> off SSLv3: all known versions of SSL are broken and should never be used.
> Please do not break this meme by trying to rename TLS to SSL.

Is "all known versions before SSL 4" that much worse?

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Maarten Bodewes]

Hi all,

The point is we are now indeed on draft 18. Changing the name now is very
problematic because everybody on the mailinglist already calls it TLS 1.3,
for a long time and no matter what you do, a lot of us (who are hopefully
the experts) will keep referring to it under that name.

If you want a name change, introduce it early (as editor of the RFC, these
guys should be able to make this kind of decision) or otherwise keep the
name.

The same kind of discussion was on the SHA-3 mailing list, where some
argued for AHS instead of SHA-3. The same problem ensued there and SHA-3
was kept in the end (although I don't know how the decision was made at
that time).

Further discussions continue at s...@ietf.org ;)

Regards,
Maarten

2016-12-02 15:54 GMT+01:00 Ted Lemon :

> The bottom line is that this is an unanswerable question.   My advice
> is to not change the name, because I think more name changes = more
> confusion and it is _way_ too late to put TLS back in the box.   But
> what do I know--I'm just an end user!   :)
>
> On Fri, Dec 2, 2016 at 9:42 AM, Hubert Kario  wrote:
> > On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
> >> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not
> logical
> >> > ordering
> >>
> >> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is
> that
> >> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
> >> doing here.  And the quotes around the last SSL do not belong there.
> >
> >> You can say that calling it "TLS 1.3" promulgates the illogical
> ordering, or
> >> you could say it continues a renumbering.  A renumbering that the world
> has
> >> never recognized or understood.  You can say that "SSL 4" confuses
> people
> >> twice, or you can say that it restores sanity to a 20-year glitch and
> >> starts us using the same name that the rest of the world, *and our
> >> industry,* uses.
> >
> > what it does is it introduces a second glitch
> >
> > speaking of confusion, do you know that e-mail clients by "SSL" mean
> "SSL/TLS"
> > and by "TLS" mean "STARTTLS"?
> > (note the port numbers)
> > https://sils.unc.edu/it-services/email-faq/outlook
> > https://mail.aegee.org/smtp/kmail.html
> > https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird
> >
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
> >
> > ___
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

The bottom line is that this is an unanswerable question.   My advice
is to not change the name, because I think more name changes = more
confusion and it is _way_ too late to put TLS back in the box.   But
what do I know--I'm just an end user!   :)

On Fri, Dec 2, 2016 at 9:42 AM, Hubert Kario  wrote:
> On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
>> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
>> > ordering
>>
>> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that
>> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
>> doing here.  And the quotes around the last SSL do not belong there.
>
>> You can say that calling it "TLS 1.3" promulgates the illogical ordering, or
>> you could say it continues a renumbering.  A renumbering that the world has
>> never recognized or understood.  You can say that "SSL 4" confuses people
>> twice, or you can say that it restores sanity to a 20-year glitch and
>> starts us using the same name that the rest of the world, *and our
>> industry,* uses.
>
> what it does is it introduces a second glitch
>
> speaking of confusion, do you know that e-mail clients by "SSL" mean "SSL/TLS"
> and by "TLS" mean "STARTTLS"?
> (note the port numbers)
> https://sils.unc.edu/it-services/email-faq/outlook
> https://mail.aegee.org/smtp/kmail.html
> https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Thomas Pornin]

On Fri, Dec 02, 2016 at 02:17:24PM +, Ackermann, Michael wrote:
> In Enterprise circles TLS is an unknown acronym and as painful as it
> is,  we must usually refer to it as SSL,  before anyone knows what we
> are talking about.  Software products are guilty too.   Parameter
> fields frequently reference SSL.   :(

Actually there is a large variety in what I encounter (I work in a big
financial institution, and I have gone through other big organisations).

Some will just know "SSL" and talk about SSL for all protocols in the
"SSL" family (which so far includes SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
and TLS 1.2).

Some will use "SSL" for SSL 2.0 and SSL 3.0, and "TLS" for the TLS 1.x
versions. They then ban "SSL" and want to enforce "TLS". When they
encounter regulations that say "don't use TLS 1.0, only TLS 1.1+", they
get confused.

Some people and software interfaces use "SSL vs TLS" in a completely
different way, in the context of protocols like IMAP or FTPS: they use
"SSL" to mean "SSL handshake first, then protocol inside it", and "TLS"
to mean "protocol first and a STARTTLS command". This distinction is
orthogonal to protocol versions.

Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates". In a similar vein, the 'S' in 'HTTPS' does
_not_ mean "SSL", but not many people know that.

When I encounter someone who knows the differences between all versions,
then I am in front of a mirror. The taxonomy is confused and
complicated, and people who are maniacal enough to learn and remember it
are very rare.



If we look at what Microsoft did when it encountered the same kind of
terminology mess, it decided that the number following 2000 was "XP".
Lately, for server versions, Microsoft uses a year-based numbering,
and even so, they depart from it at times, e.g. when they decided that
"2009" was really "2008R2".

In practice, people don't have problem with gaps in numbering; they
are even eager to _create_ gaps when convenient, for instance by
not acknowledging the existence of Windows Vista.


So my conclusion is that terminology is essentially fluid and chosen by
people in the field, without any form of concertation and with a trend
toward simplification: the _operational_ notion is to lump versions into
two groups, the ones that must be used and the ones that must not be
used. There is about nothing IETF can do about it (though a really
poorly chosen name might increase confusion even further). The only
naming scheme which is kinda coherent is the numbering scheme on the
wire (3.0, 3.1...), and even that one fails to capture SSL 2.0 (which is
in fact 0.2 on the wire).


--Thomas Pornin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
> > ordering
> 
> So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that
> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're
> doing here.  And the quotes around the last SSL do not belong there.

> You can say that calling it "TLS 1.3" promulgates the illogical ordering, or
> you could say it continues a renumbering.  A renumbering that the world has
> never recognized or understood.  You can say that "SSL 4" confuses people
> twice, or you can say that it restores sanity to a 20-year glitch and
> starts us using the same name that the rest of the world, *and our
> industry,* uses.

what it does is it introduces a second glitch

speaking of confusion, do you know that e-mail clients by "SSL" mean "SSL/TLS" 
and by "TLS" mean "STARTTLS"?
(note the port numbers)
https://sils.unc.edu/it-services/email-faq/outlook
https://mail.aegee.org/smtp/kmail.html
https://sils.unc.edu/it-services/my-computer/email-faq/thunderbird

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ackermann, Michael]

+1  On Ted's comments. 

In Enterprise circles TLS is an unknown acronym and as painful as it is,  we 
must usually refer to it as SSL,  before anyone knows what we are talking 
about.  
Software products are guilty too.   Parameter fields frequently reference SSL.  
 :(



-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ted Lemon
Sent: Friday, December 2, 2016 8:59 AM
To: Salz, Rich <rs...@akamai.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Rich, I don't think there is any explanation that can be given for the
assertion without collecting a lot of data.   That said, the objection
makes sense to me.   I certainly think of SSL as poison.   Of course,
the average Joe on the street doesn't even know what TLS stands for,
but the people who are deciding what software to run do.   In that
audience, adding confusion with a new name change is probably bad.
So what Hubert said seems self-evident to me, not requiring any explanation.

On Fri, Dec 2, 2016 at 8:47 AM, Salz, Rich <rs...@akamai.com> wrote:
>> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , 
>> it's logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring 
>> more confusion.
>
> Please explain that assertion.
>
> --
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richs...@jabber.at Twitter: RichSalz 
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


The information contained in this communication is highly confidential and is 
intended solely for the use of the individual(s) to whom this communication is 
directed. If you are not the intended recipient, you are hereby notified that 
any viewing, copying, disclosure or distribution of this information is 
prohibited. Please notify the sender, by electronic mail or telephone, of any 
unintended receipt and delete the original message without making any copies.
 
 Blue Cross Blue Shield of Michigan and Blue Care Network of Michigan are 
nonprofit corporations and independent licensees of the Blue Cross and Blue 
Shield Association.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical 
> ordering

So?  Who cares?  A couple-hundred people in the IETF.  And the issue is that 
SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're doing 
here.  And the quotes around the last SSL do not belong there.

You can say that calling it "TLS 1.3" promulgates the illogical ordering, or 
you could say it continues a renumbering.  A renumbering that the world has 
never recognized or understood.  You can say that "SSL 4" confuses people 
twice, or you can say that it restores sanity to a 20-year glitch and starts us 
using the same name that the rest of the world, *and our industry,* uses.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 14:04:36 CET Salz, Rich wrote:
> Nobody knows the difference tween 1.0 1.1 1.2
> 
> SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that
> everyone, including our industry, uses.  If someone sees "TLS 1.2" and
> thinks "wow, that's so much worse than SSL 4 because the number is so much
> smaller," then isn't that a good thing, increasing pressure to move
> forward?

Or he thinks "stupid 'experts' pushing stuff down our throats by inflating 
numbers".

Certainly not all of them will think the same thing.
 
> I would much rather spend time explaining "no, really TLS 1.2 is not that
> bad" than have to spend more decades explaining "no, really, that thing the
> world things of as SSL is really TLS and 1.3 is really better than what you
> think you should have."

Except in 10 years we may be explaining that "no, TLS 1.3/2.0/4/2017 alone is 
completely insecure, you need to deploy post-quantum crypto on TLS 
1.2/2.0/4/2017"
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

"Salz, Rich"  writes:


People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's logical
that SSL 1.3 continues that trend. creating "SSL" 4 will bring more confusion.


Please explain that assertion.


I was going to ask that too, the quoted text seems...,  well, gibberish to me.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 13:47:20 CET Salz, Rich wrote:
> > People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's
> > logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring
> > more confusion.
> 
> Please explain that assertion.

SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4
is not logical ordering

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

Nobody knows the difference tween 1.0 1.1 1.2

SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that 
everyone, including our industry, uses.  If someone sees "TLS 1.2" and thinks 
"wow, that's so much worse than SSL 4 because the number is so much smaller," 
then isn't that a good thing, increasing pressure to move forward?

I would much rather spend time explaining "no, really TLS 1.2 is not that bad" 
than have to spend more decades explaining "no, really, that thing the world 
things of as SSL is really TLS and 1.3 is really better than what you think you 
should have."
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ted Lemon]

Rich, I don't think there is any explanation that can be given for the
assertion without collecting a lot of data.   That said, the objection
makes sense to me.   I certainly think of SSL as poison.   Of course,
the average Joe on the street doesn't even know what TLS stands for,
but the people who are deciding what software to run do.   In that
audience, adding confusion with a new name change is probably bad.
So what Hubert said seems self-evident to me, not requiring any
explanation.

On Fri, Dec 2, 2016 at 8:47 AM, Salz, Rich  wrote:
>> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's 
>> logical
>> that SSL 1.3 continues that trend. creating "SSL" 4 will bring more 
>> confusion.
>
> Please explain that assertion.
>
> --
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richs...@jabber.at Twitter: RichSalz
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hubert Kario]

On Friday, 2 December 2016 03:12:41 CET Peter Gutmann wrote:
> Tony Arcieri  writes:
> >There's already ample material out there (papers, presentations, mailing
> >list discussions, etc) which talks about "TLS 1.3".
> 
> In other words, the TLS WG and a small number of people who interact with it
> call it TLS 1.3.  That's hardly a strong argument when most of the rest of
> the world doesn't even call it TLS.
> 
> In fact that's something that's come up repeatedly in the bikeshedding so
> far, there are some really good, sound arguments for calling it TLS/SSL 4
> or TLS/SSL 2017, while pretty much the only reasons I've seen for TLS 1.3
> are inertia, "we've always called it that"/"I don't want to change"/etc.

People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's 
logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring more 
confusion.

In 10 years time, when the only way for you to get anything that can talk SSL 
3 is to run EOL software and hardware, then we can create "SSL" 4. But not 
when one fifth of the Internet still supports SSL 3.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Yoav Nir  writes:

>The way I’ve heard it “SSL” is a registered trademark owned by Netscape (now
>AOL), so we can’t use it unless AOL lawyers sign off on that. It might be
>wrong, but if it’s true - good luck with that.

http://tmsearch.uspto.gov/bin/showfield?f=toc=4810%3Ajoxwrl.1.1_search=searchss_L=50=_plural=yes_s_PARA1=_tagrepl%7E%3A=PARA1%24LD=PARA1+AND+PARA2_s_PARA2=ssl_tagrepl%7E%3A=PARA2%24COMB_op_ALL=AND_default=search_search=Submit+Query_search=Submit+Query
 

http://tmsearch.uspto.gov/bin/showfield?f=toc=4805%3A16epd1.1.1_search=searchstr=_L=100_plural=yes_s_PARA1=SSL_tagrepl%7E%3A=PARA1%24ALL=PARA1+and+PARA2_s_PARA2=security_tagrepl%7E%3A=PARA2%24ALL_default=search=toc=4805%3A16epd1.1.1_search=Submit+Query

http://tmsearch.uspto.gov/bin/showfield?f=toc=4805%3A16epd1.4.1_search=searchstr=_L=100_plural=yes_s_PARA1=%22secure+sockets+layer%22_tagrepl%7E%3A=PARA1%24ALL=PARA1+or+PARA2_s_PARA2=_tagrepl%7E%3A=PARA2%24ALL_default=search=toc=4805%3A16epd1.4.1_search=Submit+Query

Doesn't look like it.  And even if it was, Netscape's failure to defend it
against infringement by half the planet would probably make its enforceability
dubious.

Peter.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 2 Dec 2016, at 10:33, Peter Gutmann  wrote:
> 
> Stephen Farrell  writes:
> 
>> IIRC that was sort-of a condition for adoption of the work in the IETF 20
>> years ago, when there were two different protocols already being deployed and
>> the proponents of one of them said "we'll use that other one (SSL) but you
>> gotta change the name of the standard or we can't get our  to agree
>> to change to all use the same thing."
> 
> It was Netscape with SSL vs. Microsoft with PCT.
> 
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?

Is that even possible? The way I’ve heard it “SSL” is a registered trademark 
owned by Netscape (now AOL), so we can’t use it unless AOL lawyers sign off on 
that. It might be wrong, but if it’s true - good luck with that.

Yoav

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Stephen Farrell  writes:

>IIRC that was sort-of a condition for adoption of the work in the IETF 20
>years ago, when there were two different protocols already being deployed and
>the proponents of one of them said "we'll use that other one (SSL) but you
>gotta change the name of the standard or we can't get our  to agree
>to change to all use the same thing."

It was Netscape with SSL vs. Microsoft with PCT.

If no-one from Microsoft has any objections, can we just rename it back to
what it's always been for everyone but us, SSL?

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Bill Frantz]

On 12/2/16 at 8:48 PM, rs...@akamai.com (Salz, Rich) wrote:


And also, the world will not care about a gap in numbering.  Nobody cared that 
there was no Windows 9.


If we go with 2017, we can tell the world that by using the year 
the standard was approved, instead of a confusing set of names 
and numbers, we are eliminating any confusion about which 
version is the most recent.


Cheers - Bill

---
Bill Frantz| gets() remains as a monument | Periwinkle
(408)356-8506  | to C's continuing support of | 16345 
Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, 
CA 95032


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> If we call the next one 4, we have to explain a gap in the versioning (1.0, 
> 1.1, 1.2, 4?) and placing 2.0 and 3.0 after 1.2 becomes even more inviting.

No we don't have to explain it.  Most of the world isn't OCD types like those 
of us in this field.

> Once SSL 3.0 falls away, we'll be left with 1.0, 1.1, 1.2, and 1.3, which is 
> a plausible numbering progression. There'll still be the mess with SSL being 
> the informal name for the protocol family, but that isn't a numbering problem.

Once SSL 3.0 falls away, the industry will still be calling the protocol SSL.  
Except now the common name and the real name have no relationship.

And also, the world will not care about a gap in numbering.  Nobody cared that 
there was no Windows 9.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> In other words, the TLS WG and a small number of people who interact with
> it call it TLS 1.3.  That's hardly a strong argument when most of the rest of 
> the
> world doesn't even call it TLS.

Strongly agreed

> pretty much the only reasons I've seen for TLS 1.3 are
> inertia, "we've always called it that"/"I don't want to change"/etc.

Yes.

Think outside the community.  The world calls it SSL.  Many of the vendors in 
this industry also call it SSL.

SSL 4 or greater.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Tony Arcieri  writes:

>There's already ample material out there (papers, presentations, mailing list
>discussions, etc) which talks about "TLS 1.3".

In other words, the TLS WG and a small number of people who interact with it
call it TLS 1.3.  That's hardly a strong argument when most of the rest of the
world doesn't even call it TLS.

In fact that's something that's come up repeatedly in the bikeshedding so far,
there are some really good, sound arguments for calling it TLS/SSL 4 or
TLS/SSL 2017, while pretty much the only reasons I've seen for TLS 1.3 are
inertia, "we've always called it that"/"I don't want to change"/etc.

Peter.

  
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Watson Ladd]

On Thu, Dec 1, 2016 at 6:16 PM, Tony Arcieri  wrote:
> On Wed, Nov 30, 2016 at 8:43 PM, Viktor Dukhovni 
> wrote:
>>
>> > I actually completely agree with Timothy Jackson's recent posting:
>> >
>> >   After 15 years, everyone but us still calls it SSL. We need to
>> >   admit that we lost the marketing battle and plan for a world where
>> >   everyone calls “TLS X” “SSL X”. Even “new” implementations call
>> >   themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or
>> >   “BoringTLS”.
>>
>> I'll drink to that!
>
>
> I will also +1 this and add that if the goal is to reduce confusion, a last
> minute renaming of TLS 1.3 to something else probably won't accomplish that,
> but will rather create more confusion. There's already ample material out
> there (papers, presentations, mailing list discussions, etc) which talks
> about "TLS 1.3". Rebranding it now would add an additional bit of errata
> everyone needs to learn if they ever encountered the "TLS 1.3" version in
> any of these materials. And I think the whole SSL/TLS thing is errata
> enough.

So what should X be in above email? Clearly it should be \geq 4.

>
> --
> Tony Arcieri
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Tony Arcieri]

On Wed, Nov 30, 2016 at 8:43 PM, Viktor Dukhovni 
wrote:

> > I actually completely agree with Timothy Jackson's recent posting:
> >
> >   After 15 years, everyone but us still calls it SSL. We need to
> >   admit that we lost the marketing battle and plan for a world where
> >   everyone calls “TLS X” “SSL X”. Even “new” implementations call
> >   themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or
> >   “BoringTLS”.
>
> I'll drink to that!


I will also +1 this and add that if the goal is to reduce confusion, a last
minute renaming of TLS 1.3 to something else probably won't accomplish
that, but will rather create more confusion. There's already ample material
out there (papers, presentations, mailing list discussions, etc) which
talks about "TLS 1.3". Rebranding it now would add an additional bit of
errata everyone needs to learn if they ever encountered the "TLS 1.3"
version in any of these materials. And I think the whole SSL/TLS thing is
errata enough.

-- 
Tony Arcieri
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Nick Sullivan  writes:

>I took a very unofficial Twitter poll on this subject:
>https://twitter.com/grittygrease/status/80364408215424

Given the lack of context for the question (an out-of-the-blue query
to a random bunch of people on Twitter), I think the inevitable TLSy 
McTLSface (given as Crypty McCryptFace in one response) is kind of 
representative of the quality of responses...

I actually completely agree with Timothy Jackson's recent posting:

  After 15 years, everyone but us still calls it SSL. We need to 
  admit that we lost the marketing battle and plan for a world where 
  everyone calls “TLS X” “SSL X”. Even “new” implementations call 
  themselves “LibreSSL” and “BoringSSL” rather than “LibreTLS” or 
  “BoringTLS”.

Spurred by that, I've been watching out for any uses of $protocol-
name that I come across in news, books, journals, blogs, whatever.
It's pretty clear cut: What we call TLS, the rest of the world calls
SSL.  The only place where it was referred to specifically as TLS
was in IETF WG postings and in conference papers.  To the rest of
the world, the protocol is SSL.  So given that the world will know 
it as SSL , it had better have a number that makes 
explicit what precedence it takes, either 4 or 2017.  Whatever it
is, it needs to be something that can be ranked against "SSL" and
"SSL 3" and be an obvious improvement.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Nick Sullivan]

I took a very unofficial Twitter poll on this subject:
https://twitter.com/grittygrease/status/80364408215424

Nick

On Tue, Nov 29, 2016 at 5:47 AM Raja ashok  wrote:

> I feel we can go ahead with TLS 1.3.
>
> Or else TLS 3.4, because anyway we send 0x0304 on wire for TLS 1.3.
>
>
>
> I hope all other three options (TLS 2.0, TLS 2 and TLS 4) will make
> confusion with SSL versions for end user.
>
>
> --
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: image001.jpg]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
>
> http://www.huawei.com
> --
>
> 本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
> 的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
>
>
>
>
> -Original Message-
> From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Sean Turner
> Sent: 18 November 2016 07:43
> To: 
> Subject: [TLS] Confirming consensus: TLS1.3->TLS*
>
>
>
> At IETF 97, the chairs lead a discussion to resolve whether the WG should
> rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
> .
>
>
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
>
>
> - Leave it TLS 1.3
>
> - Rebrand TLS 2.0
>
> - Rebrand TLS 2
>
> - Rebrand TLS 4
>
>
>
> by 2 December 2016.
>
>
>
> Thanks,
>
> J
>
> ___
>
> TLS mailing list
>
> TLS@ietf.org
>
> https://www.ietf.org/mailman/listinfo/tls
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Timothy Jackson]

At this point, my personal opinion is to move on from TLS 1.3 to either TLS 
4/4.0 or TLS 2017.

After 15 years, everyone but us still calls it SSL. We need to admit that we 
lost the marketing battle and plan for a world where everyone calls “TLS X” 
“SSL X”. Even “new” implementations call themselves “LibreSSL” and “BoringSSL” 
rather than “LibreTLS” or “BoringTLS”.

As SSL is removed from products, we’re likely to get more and more questions 
“why am I using SSL 1.2, when I thought SSL 3 was broken?” This is a 
*legitimate* question by a user who is educated enough to know that “SSL 3 is 
bad” but has more important things to remember than the distinction between SSL 
and TLS. As others have noted, TLS 4 fixes this when users call it SSL 4, which 
they definitely will.

Tim

On 11/25/16, 6:43 AM, "TLS on behalf of Dan Brown" <tls-boun...@ietf.org on 
behalf of danibr...@blackberry.com> wrote:

I don't oppose any of the 4 given options, but I slightly prefer TLS 2.0, 
it seems simple and clear.  

In my opinion, the whole SSL vs TLS confusion needs better education to 
confront, version numbers (even dates) alone might not be enough.  Renaming 
*SSL products to *TLS should help.  Avoiding "SSL/TLS" might help.

Since others have proposed new options, how about TLS 2.017? Using the date 
has benefits, but the actual crypto changes are much more important, so the 
decimal makes that point.  An old crypto principle is that older is better 
(among equally unbroken options) -- but naming new stuff is just not enough to 
rid us of broken old stuff, so putting dates in names might not undermine this 
principle.  For future naming, on minor changes (or even pre-scheduled reviews 
with no changes), update the date part, on major changes, start from scratch 
(as in 3.2024, or even use different letters ... ).  

By the way, I'm sorry if my opinion diverges from the currently forming 
consensus.

Just my $0.02.
  
Dan

PS Just to be clear, if votes are to be tallied, my vote on this issue 
should be weighted quite low (i.e. 0, unless other votes are weighted low too, 
and some kind of tie-breaker is needed), for at least three reasons: I have not 
followed the TLS 1.3/2.0 spec closely (i.e., I had no part in building the 
shed); I have nearly zero experience dealing with user interpretation (i.e. 
marketing) of protocol names; my preference is weak. (Enough to deserve a 
negative weight, if that were not cheatable;)

PPS I've said before that I prefer TLC(rypto) to TLS(ecurity), but that's 
unlikely to fly, and it may be okay to grandfather this tradition.  (I hope 
names of future crypto protocols (that TLS WG might work on) can be more 
specific and realistic.)

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Dave Garrett
Sent: Tuesday, November 22, 2016 5:07 PM
To: tls@ietf.org
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, 
personally, I don't see a strong consensus building here. Leaving the bikeshed 
unpainted seems like the option we're headed for, at this rate. I'm fine with 
TLS 1.3 if that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the 
"fourth version of TLS" message. It makes a kind of messy sense that's kind of 
fitting for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the 
context of the title and messaging, not actually replacing the version number 
itself. I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 
1.3 and changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the 
> major version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a 
> TLS 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner <s...@sn3rd.com> wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG 
> > should rebrand TLS1.3 to something else.  Slides can be found @
> > 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_proceedings_97_slides_slides-2D=DwICAg=N0Urj2691w_G_RMcId8BFO255JhwY

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dan Brown]

I don't oppose any of the 4 given options, but I slightly prefer TLS 2.0, it 
seems simple and clear.  

In my opinion, the whole SSL vs TLS confusion needs better education to 
confront, version numbers (even dates) alone might not be enough.  Renaming 
*SSL products to *TLS should help.  Avoiding "SSL/TLS" might help.

Since others have proposed new options, how about TLS 2.017? Using the date has 
benefits, but the actual crypto changes are much more important, so the decimal 
makes that point.  An old crypto principle is that older is better (among 
equally unbroken options) -- but naming new stuff is just not enough to rid us 
of broken old stuff, so putting dates in names might not undermine this 
principle.  For future naming, on minor changes (or even pre-scheduled reviews 
with no changes), update the date part, on major changes, start from scratch 
(as in 3.2024, or even use different letters ... ).  

By the way, I'm sorry if my opinion diverges from the currently forming 
consensus.

Just my $0.02.
  
Dan

PS Just to be clear, if votes are to be tallied, my vote on this issue should 
be weighted quite low (i.e. 0, unless other votes are weighted low too, and 
some kind of tie-breaker is needed), for at least three reasons: I have not 
followed the TLS 1.3/2.0 spec closely (i.e., I had no part in building the 
shed); I have nearly zero experience dealing with user interpretation (i.e. 
marketing) of protocol names; my preference is weak. (Enough to deserve a 
negative weight, if that were not cheatable;)

PPS I've said before that I prefer TLC(rypto) to TLS(ecurity), but that's 
unlikely to fly, and it may be okay to grandfather this tradition.  (I hope 
names of future crypto protocols (that TLS WG might work on) can be more 
specific and realistic.)

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Dave Garrett
Sent: Tuesday, November 22, 2016 5:07 PM
To: tls@ietf.org
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, personally, 
I don't see a strong consensus building here. Leaving the bikeshed unpainted 
seems like the option we're headed for, at this rate. I'm fine with TLS 1.3 if 
that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the "fourth 
version of TLS" message. It makes a kind of messy sense that's kind of fitting 
for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the context 
of the title and messaging, not actually replacing the version number itself. 
I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 1.3 and 
changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the 
> major version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a 
> TLS 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner <s...@sn3rd.com> wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG 
> > should rebrand TLS1.3 to something else.  Slides can be found @
> > https://www.ietf.org/proceedings/97/slides/slides-
> > 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and 
> > to not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm 
> > this decision on the list so please let the list know your top choice 
> > between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Anders Rundgren]

Using the YEAR as Version was created to make sure that users having old 
versions
of products that are constantly upgraded would feel the pressure to upgrade.

This idea doesn't seem equally suitable for security protocols.

TLS 4 would IMO be a logical choice since it is numerically higher than all its 
predecessors.

Anders

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dave Garrett]

(replies to a bunch of ideas in this thread)

As the person who lit the match under this latest bikeshed debate, personally, 
I don't see a strong consensus building here. Leaving the bikeshed unpainted 
seems like the option we're headed for, at this rate. I'm fine with TLS 1.3 if 
that's the result here.

That said, I think I've been somewhat swayed to the TLS 4 camp with the "fourth 
version of TLS" message. It makes a kind of messy sense that's kind of fitting 
for TLS. I'm no longer against it.

I've also suggested highlighting the year in the past, but only in the context 
of the title and messaging, not actually replacing the version number itself. 
I'd be ok with TLS 1.3-2017 (or something), not doing a find/replace of 1.3 and 
changing it to 2017, wholesale. That just feels even more confusing.

Lastly, I am vehemently against the suggestion of ditching the TLS name in 
favor of SSL again, as was also brought up in this thread. SSL is dead and 
insecure, and that message needs to stay. We need to get people to stop 
conflating the two and making this worse, not accepting it.


Dave


On Sunday, November 20, 2016 08:16:07 pm Eric Rescorla wrote:
> I mildly prefer TLS 1.3 to TLS 2 and TLS 4 (If we're going to rev the major
> version number we should abandon the minor one).
> TLS 2017 strikes me as quite bad; we're certainly not planning to do a TLS
> 2018. I am strongly opposed to TLS 2017.
> 
> -Ekr
> 
> 
> On Fri, Nov 18, 2016 at 11:12 AM, Sean Turner  wrote:
> 
> > At IETF 97, the chairs lead a discussion to resolve whether the WG should
> > rebrand TLS1.3 to something else.  Slides can be found @
> > https://www.ietf.org/proceedings/97/slides/slides-
> > 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> > rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> > on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Daniel Migault]

I have a small preference for TLS 1.3.

On Tue, Nov 22, 2016 at 10:04 AM, Scott Schmit  wrote:

> On Fri, Nov 18, 2016 at 11:12:48AM +0900, Sean Turner wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> I find it compelling that if we lived in an alternate universe where we
> had SSL 1996, TLS 1999, and a recently-published TLS 2006 or TLS 2008,
> there would have been a lot less inertia about switching to a later
> version.  I find is very optimistic given our history that we could
> manage two TLS versions in a year.  If that ever happened, though, we
> could do 2019.1 (as an increment) or 2019.11 (for the month).
>
> Barring that, I'd prefer TLS 4, since that gets us out of the version
> confusion swamp.  It would seem that almost nobody outside the security
> community understands the distinction between SSL and TLS; so if we call
> it TLS 4, we'll probably see it referred to as SSLv4.  And that wouldn't
> be horrible.  If we call it TLS 2 or TLS 2.0, some might refer to it as
> SSLv2.  That would obviously be very bad.
>
> While it's nice to able to look up information about TLS 1.3 drafts,
> most of that information is going to be inaccurate anyway, so I don't
> see that as a compelling reason to stick to it.  Granted, you have
> specific buzz for "TLS 1.3 is going to really improve things" but that's
> fairly easy to translate to "the new version of TLS is going to really
> improve things".
>
> The distinction between 2 vs 2.0 seems pretty minor.  SSLv2 is 2.0 and
> SSLv3 is 3.0, but few write it that way.
>
> Thus my ranked preference would be:
>
> TLS 2017 > TLS 4 > TLS 1.3 > TLS 2 or TLS 2.0
>
> But if I'm limited to a top choice from the list, then "Rebrand TLS 4"
>
> --
> Scott Schmit
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Hugo Krawczyk]

If it wasn't because we don't need more noise in this discussion I would
have suggested SSL 5.0 which seems to be the logical conclusion from the
reasoning people are using. Clearly, everyone thinks that the battle of
replacing "SSL" with "TLS" in the popular and technical references to the
standard has been lost and there is not much hope to win it in the future.
So if the mountain won't come to  Muhammad then go back to SSL and call it
SSL 5.0 leaving SSL 4.0 as an historic parallel/re-naming of TLS 1.0. (Also
note that the two 'S' of SSL already hint to the number 5 and L is 50 in
Roman numerals.)

On a more serious note, I would keep a minor option in whatever is chosen
(e.g. 4.0). The reason is that I can see more resistance in the future to
minor revisions if such revision needs to be called TLS 5 rather than 4.1.
However, minor but crucial revisions may be needed sooner than one hopes
for and delaying them for when more changes are accumulated is not a good
thing.

Hugo
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

➢ You should be reluctant to draw too many conclusions from a field which you 
can only access by clicking through a big scary warning that you are voiding 
your warranty:

Warranty?

And sure, users never click through security warnings ☺

At any rate, this was intended to be a little light-hearted, but might have 
rubbed some folks the wrong way.  Sorry ‘bout that.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Woodhouse]

On Mon, 2016-11-21 at 19:34 +, Salz, Rich wrote:
> Do "about:config" in firefox and look for TLS:
>   security.tls.version.max default   integer  3
> 
> And then perhaps look at http://kb.mozillazine.org/Security.tls.version.* 
> (yes the star is part of the URL)
> 
> EVEN MOZILLA can't get it "right."

What's wrong with that? On a version of Firefox which supports only up
to TLSv1.2, the default setting of security.tls.version.max is 3 (i.e.
TLSv1.2). Which seems reasonable enough.

If you update to a hypothetical newer version of Firefox+NSS which
supports a newer version of TLS, presumably the default value of
security.tls.version.max will be 4, and will take effect unless you've
manually set it to any other value in your own local config.

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Richard Barnes]

On Mon, Nov 21, 2016 at 2:51 PM, Yoav Nir  wrote:

>
> > On 21 Nov 2016, at 20:43, Salz, Rich  wrote:
> >
> >
> >> With this in mind, I'm voting in favor of any re-branding of TLS 1.3
> where the
> >> protocol name remains "TLS" and major version becomes > 1.
> >
> > Me too.
>
> Agree
>

I can live with this approach, though if we go this way, I would have a
strong preference for 4, as the minimum change that gets us clear of the
SSL version numbers.

That said, I still think 1.3 is the most sensible option.  Regardless of
what we do here, we're still going to have to struggle with "N > 1.2 > 1.1
> 1.0 > 3.0" for a long time.  The only decision we've got here is which
additional exasperating conversation we want to have in the future, "Yes, N
is the one that comes after 1.2", or "Yes, 1.3 > 3.0".  Might as well stick
with the one we've been having all along anyway.

--Richard




>
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Sean Leonard]

+1 to TLS 1.3. My strong preference is TLS 1.3.

Reasons have been advanced ad-nauseam.

Just a couple of additional thoughts:
1.3 is in the protocol. So there.
"Perl 6". Just because you advance a version number to a big one, 
doesn't mean that businesses will see the justification to upgrade.


Sean

On 11/17/2016 6:12 PM, Sean Turner wrote:

At IETF 97, the chairs lead a discussion to resolve whether the WG should 
rebrand TLS1.3 to something else.  Slides can be found @ 
https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.

The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4

by 2 December 2016.

Thanks,
J
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls




___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Rescorla]

On Mon, Nov 21, 2016 at 11:34 AM, Salz, Rich  wrote:

> Do "about:config" in firefox and look for TLS:
> security.tls.version.max default   integer  3
>
> And then perhaps look at http://kb.mozillazine.org/Security.tls.version.*
> (yes the star is part of the URL)
>
> EVEN MOZILLA can't get it "right."
>

You should be reluctant to draw too many conclusions from a field which you
can only
access by clicking through a big scary warning that you are voiding your
warranty:

https://techjourney.net/media/2015/03/firefox-about-config-warning.png

-Ekr


>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Short, Todd]

Throwing my hat into the ring, the basic record protocol has not changed.

If anything, what is currently referred to as TLSv1.3 is really just a major 
update to the handshake messages.

If the record protocol were to change to use a sane 4-byte header (which I 
proposed many months ago), then I think that calling it TLSv4 or equivalent 
would be appropriate.

At this point, I’d prefer to keep it TLSv1.3, since I don’t consider this a 
significant update to the protocol.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Nov 21, 2016, at 2:51 PM, Yoav Nir 
> wrote:


On 21 Nov 2016, at 20:43, Salz, Rich 
> wrote:


With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the
protocol name remains "TLS" and major version becomes > 1.

Me too.

Agree


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Yoav Nir]

> On 21 Nov 2016, at 20:43, Salz, Rich  wrote:
> 
> 
>> With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where 
>> the
>> protocol name remains "TLS" and major version becomes > 1.
> 
> Me too.

Agree


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

Do "about:config" in firefox and look for TLS:
security.tls.version.max default   integer  3

And then perhaps look at http://kb.mozillazine.org/Security.tls.version.* (yes 
the star is part of the URL)

EVEN MOZILLA can't get it "right."

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[=JeffH]

In the room last week, I hummed for "TLS 4".

that said, I overall agree with Andrei's sentiment..

> I'm voting in favor of any re-branding of TLS 1.3 where the
> protocol name remains "TLS" and major version becomes > 1.

HTH,

=JeffH

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Dmitry Belyavsky]

Hello,

On Mon, Nov 21, 2016 at 9:43 PM, Salz, Rich  wrote:

>
> > With this in mind, I'm voting in favor of any re-branding of TLS 1.3
> where the
> > protocol name remains "TLS" and major version becomes > 1.
>
> Me too.
>
> +1


-- 
SY, Dmitry Belyavsky
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the
> protocol name remains "TLS" and major version becomes > 1.

Me too.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Andrei Popov]

Peter has some excellent points here (although I would prefer "TLS 2.0").

Perhaps the "re-branders" are losing votes and hums because we're fragmented 
into numerous camps.

With this in mind, I'm voting in favor of any re-branding of TLS 1.3 where the 
protocol name remains "TLS" and major version becomes > 1.

Cheers,

Andrei

-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Peter Gutmann
Sent: Friday, November 18, 2016 6:41 PM
To: Ilari Liusvaara <ilariliusva...@welho.com>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*

Replying to several messages at once to save space:

Ilari Liusvaara:

>One can downnegotiate TLS 1.3 to TLS 1.2.

Ah, you're obviously a fan of Steve Wozniak humour.  When someone asked him 
whether it was possible to upgrade from an Apple II+ to an Apple IIe, he 
similarly said "yes, you unplug the power cable from the II+, throw it away, 
and plug the IIe into the newly-vacated power cable".

Christian Huitema:

>I prefer TLS 1.3, because is signals continuity with the ongoing TLS 
>deployment efforts.

Maybe it's just me, but wouldn't the fact that they're both called TLS sort of 
indicate that there's continuity there?

Dave Kern:

>I'm in favor of TLS 4, and ignoring the minor version number (in the 
>friendly text string, not the protocol field) moving forward.

That's actually a good point, "TLS 4" provides a single, clean number for 
people to remember.  Even a CTO or auditor should be able to get that one right 
without having to look up a table in a book to see that 1.3 > v3.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Viktor Dukhovni]

> On Nov 20, 2016, at 7:56 PM, D. J. Bernstein  wrote:
> 
> Of course people who prioritize retaining the existing "TLS 1.3"
> mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
> they'll get over it within a few years. :-)

This worked well enough for IDNA2003 and IDNA2008 (the latter was
finally published in 2010, and even that is not a problem).

So I can get behind TLS 2017.  I had even considered suggesting it,
but did not at the time want to add more options to the mix.

I think the risk of two TLS standards published in a single year
is vanishingly low.  And see no problems with "gaps" in the numbers.

-- 
Viktor.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Mark Nottingham]

I give the chairs my full support for whatever colour they wish to paint this 
bikeshed.


> On 18 Nov. 2016, at 1:12 pm, Sean Turner  wrote:
> 
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
> 
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
> 
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
> 
> by 2 December 2016.
> 
> Thanks,
> J
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

--
Mark Nottingham   https://www.mnot.net/

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Xiaoyin Liu]

+1 for “TLS 2017” for all the four reasons given in the proposal.



My overall preference is TLS 2017 > TLS 4 > TLS 2 or 2.0 > TLS 1.3.



Best,

Xiaoyin



From: D. J. Bernstein<mailto:d...@cr.yp.to>
Sent: Sunday, November 20, 2016 7:56 PM
To: tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*



The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

   * it shares the fundamental advantage that led to the "TLS 4" idea;
   * it has the additional advantage of making the age obvious;
   * it eliminates the "4 sounds too much like 3" complaint; and
   * it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)

---Dan

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Bill Frantz]

On 11/21/16 at 4:56 PM, d...@cr.yp.to (D. J. Bernstein) wrote:


The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

* it shares the fundamental advantage that led to the "TLS 4" idea;
* it has the additional advantage of making the age obvious;
* it eliminates the "4 sounds too much like 3" complaint; and
* it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)


The Ecmascript standards body, TC39 has moved to year === 
version. It seems to work well for them.


I don't think that using a year means that there will be a new 
standard every year.


In the unlikely event that there is a standard bug bad enough to 
need a second standard in one year, decimal version(s) could be 
used e.g 2017.1.  It would be understandable and act as 
punishment for us who screwed up.


Cheers - Bill

---
Bill Frantz| Concurrency is hard. 12 out  | Periwinkle
(408)356-8506  | 10 programmers get it wrong. | 16345 
Englewood Ave
www.pwpconsult.com |- Jeff Frantz | Los Gatos, 
CA 95032


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Mill]

On Sun, Nov 20, 2016 at 2:17 PM, Filippo Valsorda  wrote:

> I'm definitely for 1.3.
>
> I get where 4 is coming from, but 1.2 is not going anywhere soon, and we
> spent the last 10 years training people that the high-numbered one is
> bad, and that the 1.x ones are cool.
>
> I really don't want to have the following conversation, with the exact
> same people the proponents of 4 are trying to help:
>
> "You only support 1.2, you should support 4"
> "Oh, wasn't it that weird other way around where the high one was
> broken?"
> "Ah, no, 4 is the latest and greatest"
> "Oh, ok, then I should support only 4 and 3?"
> "Nono, 3 is terribly broken."
> "Oh, so only 4? Do all clients support it?"
> "Uh, you should keep 1.2"
> "Ah, so 1.2 is better than 3 but worse than 4?"
> "Yeah... I'm sorry"
>
> "4 is great, 3 is bad, 1.2 is good" is harder than "3 is bad, 1.2 is
> good" was, and harder than "3 is bad, 1.2 is good, 1.3 is great" would
> be.
>

While this conversation might not be impossible, I think it's an unlikely
hypothetical. A change to TLS 4 wouldn't be to address confusion for those
who have already internalized the weird version history (which is mostly
people like us on-list), but for people who only think about TLS/SSL when
they're forced to think about it, once every year or few.

For those people, the real conversations I've had were based on superficial
glances and hazy memories of the protocol history that are reconstituted
every time the subject comes up. Naming it TLS 4 wouldn't fix it for
everyone, but it would be all-upside for some -- as well as providing a
helpful opportunity to drop the faux-minor version number and simplify the
numbering overall in the long term.

The near-term annoyance of renaming things by folks close to the WG, and
the chance of some confusion around the edges, seem like small issues
compared to a positive investment in bending the sanity curve of the next
20 years of lazy enterprise decisions.

-- Eric


>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
konklone.com | @konklone 
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[D. J. Bernstein]

The messages on the list seem to be perfectly split between "TLS 1.3"
and "TLS 4". I suspect that the "TLS 2017" idea will break this impasse:

   * it shares the fundamental advantage that led to the "TLS 4" idea;
   * it has the additional advantage of making the age obvious;
   * it eliminates the "4 sounds too much like 3" complaint; and
   * it eliminates the "where are TLS 2 and TLS 3?" complaint.

Perhaps it's worth starting a poll specifically between "TLS 1.3" and
"TLS 2017"? Or at least asking whether the new "TLS 2017" option would
swing some previous opinions?

Of course people who prioritize retaining the existing "TLS 1.3"
mindshare will be just as unhappy with "TLS 2017" as with "TLS 4", but
they'll get over it within a few years. :-)

---Dan

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Watson Ladd]

Rebrand 4. There is no reason not to.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Steven Valdez]

Maintaining my hum from the meeting, I prefer keeping TLS 1.3 over
renaming, primarily because there's now a good amount of
documentation/implementation in the wild that refers to TLS 1.3, and we'll
need to keep around the new equivalence of TLS 2 (or 4)=TLS 1.3.


On Sat, Nov 19, 2016, 8:31 AM Ira McDonald  wrote:

> Hi,
>
> I think that the presumption that most tech people (or even security
> people)
> won't have any trouble with the future version numbering of TLS is wrong.
>
> Yesterday morning, on an SAE Vehicle Electrical Systems Security call with
> some 40 auto security professionals present, I mentioned that TLS 1.3 was
> wrapping up and was asked "What's TLS?"  Usual explanation about SSL
> being succeeded by IETF TLS 17 years ago.  Several responses that were
> the equivalent of blank stares.  And finally, "Then why is the library
> still
> called OpenSSL?"
>
> Rich has highlighted that the tech community goes right on conflating SSL
> with TLS on web sites.
>
> I change my two cents to "TLS 4" but am unsure about "4" or "4.0" because
> the tech community has been trained to care about major.minor.
>
> Cheers,
> - Ira
>
>
> Ira McDonald (Musician / Software Architect)
> Co-Chair - TCG Trusted Mobility Solutions WG
> Chair - Linux Foundation Open Printing WG
> Secretary - IEEE-ISTO Printer Working Group
> Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
> IETF Designated Expert - IPP & Printer MIB
> Blue Roof Music / High North Inc
> http://sites.google.com/site/blueroofmusic
> http://sites.google.com/site/highnorthinc
> mailto: blueroofmu...@gmail.com
> Jan-April: 579 Park Place  Saline, MI  48176  734-944-0094
> May-Dec: PO Box 221  Grand Marais, MI 49839  906-494-2434
>
>
> On Sat, Nov 19, 2016 at 6:32 AM, Jeffrey Walton 
> wrote:
>
> On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
> .
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> Please forgive my ignorance...
>
> Who are you targeting for the versioning scheme? Regular users? Mom
> and pop shops with a web presence? Tech guys and gals? Security folks?
>
> For most tech people and security folks, I don't think it matters
> much. However, how many regular users would have clung to SSLv3 and
> TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
> TLS 1999 (given TLS 2008 or TLS 2010 was available)?
>
> (Sorry to violate the Hum restriction).
>
> Jeff
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Vlad Krasnov]

 "Then why is the library still
> called OpenSSL?"

All those arguments show basic confusion of what TLS is. Version numbers won't 
help solve that. 

Only going back to using the SSL name might.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ira McDonald]

Hi,

I think that the presumption that most tech people (or even security people)
won't have any trouble with the future version numbering of TLS is wrong.

Yesterday morning, on an SAE Vehicle Electrical Systems Security call with
some 40 auto security professionals present, I mentioned that TLS 1.3 was
wrapping up and was asked "What's TLS?"  Usual explanation about SSL
being succeeded by IETF TLS 17 years ago.  Several responses that were
the equivalent of blank stares.  And finally, "Then why is the library still
called OpenSSL?"

Rich has highlighted that the tech community goes right on conflating SSL
with TLS on web sites.

I change my two cents to "TLS 4" but am unsure about "4" or "4.0" because
the tech community has been trained to care about major.minor.

Cheers,
- Ira


Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmu...@gmail.com
Jan-April: 579 Park Place  Saline, MI  48176  734-944-0094
May-Dec: PO Box 221  Grand Marais, MI 49839  906-494-2434


On Sat, Nov 19, 2016 at 6:32 AM, Jeffrey Walton  wrote:

> On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> > At IETF 97, the chairs lead a discussion to resolve whether the WG
> should rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-
> 97-tls-rebranding-aka-pr612-01.pdf.
> >
> > The consensus in the room was to leave it as is, i.e., TLS1.3, and to
> not rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this
> decision on the list so please let the list know your top choice between:
> >
> > - Leave it TLS 1.3
> > - Rebrand TLS 2.0
> > - Rebrand TLS 2
> > - Rebrand TLS 4
> >
> > by 2 December 2016.
>
> Please forgive my ignorance...
>
> Who are you targeting for the versioning scheme? Regular users? Mom
> and pop shops with a web presence? Tech guys and gals? Security folks?
>
> For most tech people and security folks, I don't think it matters
> much. However, how many regular users would have clung to SSLv3 and
> TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
> TLS 1999 (given TLS 2008 or TLS 2010 was available)?
>
> (Sorry to violate the Hum restriction).
>
> Jeff
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Ilari Liusvaara  writes:

>Nope, I was referring to the very technical property that if client sends a
>TLS 1.3 handshake, a TLS 1.2 server can still successfully interop, provoded
>that the client does TLS 1.2 too

That's like saying that PGP and S/MIME are compatible because if a client
sends a PGP message, a MIME-enabled server can still successfully interop
provided the S/MIME server does PGP too.

Anyway, it's a silly debate (as my Wozniak joke tried to point out), so I'll 
bow 
out now.

Peter.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Jeffrey Walton]

On Thu, Nov 17, 2016 at 9:12 PM, Sean Turner  wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should 
> rebrand TLS1.3 to something else.  Slides can be found @ 
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not 
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision on 
> the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.

Please forgive my ignorance...

Who are you targeting for the versioning scheme? Regular users? Mom
and pop shops with a web presence? Tech guys and gals? Security folks?

For most tech people and security folks, I don't think it matters
much. However, how many regular users would have clung to SSLv3 and
TLS 1.0 (given TLS 1.2 was available) if they were named SSL 1995 and
TLS 1999 (given TLS 2008 or TLS 2010 was available)?

(Sorry to violate the Hum restriction).

Jeff

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Anders Rundgren]

On 2016-11-19 07:35, Victor Vasiliev wrote:

On Fri, Nov 18, 2016 at 9:30 PM, Kazuho Oku > wrote:

I oppose to going to TLS 4, due to the following reasons:

* it might give people false notion that  SSL 2.0, 3.0 is superior to TLS 
1.0-1.2
* if name the new protocol TLS 1.3, 2.0, or 2, then there would be no 
confusion once SSL goes away. However, if we name the new version TLS 4, then 
people would (for upcoming tens of years) continue to ask where TLS 2 and TLS 3.


Windows 9 never made it to the public.  Hardly nobody complained.

If the TLS protocol you are working on is "Brand New" or is just an "Incremental 
Upgrade"
is more a matter of personal opinion than an absolute truth.  It is definitely a 
"Major Overhaul"
since every little bit of the protocol has been reviewed thoroughly.

TLS 4 seems OK to me.

Anders




I very much agree with those points.

TLS 4 is a confusing name that, as far as I can tell, cannot actually make
things better.  Right now we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3  (1)

Now, some people may get confused by this because of the "SSL is TLS" idea, but
once you learn that in reality "SSL is a thing that was before TLS", it does
make sense and seem fairly straightforward (a series of numbers under one name,
followed by another series of numbers under the new name).

With TLS 4, we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 4(2)

This does has a nice property of indicating that TLS 4 is clearly the latest
version (as long as you know that SSL came before TLS), but omission of TLS 2
and TLS 3 will leave people confused, and most likely lead them to conclude
that what happened is TLS was renamed to SSL and then back again, so that

TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> SSL 2 -> SSL 3 -> TLS 4.   (3)

But this is not even the worst of the problems.

The real problem is that we can't actually rename TLS 1.3, because at the end
we will merely create a new name for it.  It has already been TLS 1.3 for a few
years, it has been discussed in the tech community as TLS 1.3, researchers have
published papers about TLS 1.3, there's probably already the marketing material
with TLS 1.3 out there.  The code that refers to it as TLS 1.3 will probably
end up being referring to it as 1.3 for approximately forever, even if all the
implementers had been enthusiastic about renaming it, because refactoring is
high-cost and low-priority, and may not be even possible if you've already
exposed it via the ABI.  The old name will never die, and it will be a burden
to anyone in this community, making confusing versioning scheme even more
confusing.  It will probably leak outside of it too, and instead of (2), we
will end up getting

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 = TLS 4  (4)

which seems strictly more confusing than (1) in any way.

tl;dr: the only way to minimze confusion at this point is to not change
anything.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls



___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Victor Vasiliev]

On Fri, Nov 18, 2016 at 9:30 PM, Kazuho Oku  wrote:

> I oppose to going to TLS 4, due to the following reasons:
>
> * it might give people false notion that  SSL 2.0, 3.0 is superior to TLS
> 1.0-1.2
> * if name the new protocol TLS 1.3, 2.0, or 2, then there would be no
> confusion once SSL goes away. However, if we name the new version TLS 4,
> then people would (for upcoming tens of years) continue to ask where TLS 2
> and TLS 3.
>
>
I very much agree with those points.

TLS 4 is a confusing name that, as far as I can tell, cannot actually make
things better.  Right now we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3
 (1)

Now, some people may get confused by this because of the "SSL is TLS" idea,
but
once you learn that in reality "SSL is a thing that was before TLS", it does
make sense and seem fairly straightforward (a series of numbers under one
name,
followed by another series of numbers under the new name).

With TLS 4, we have:

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 4
 (2)

This does has a nice property of indicating that TLS 4 is clearly the latest
version (as long as you know that SSL came before TLS), but omission of TLS
2
and TLS 3 will leave people confused, and most likely lead them to conclude
that what happened is TLS was renamed to SSL and then back again, so that

TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> SSL 2 -> SSL 3 -> TLS 4.
(3)

But this is not even the worst of the problems.

The real problem is that we can't actually rename TLS 1.3, because at the
end
we will merely create a new name for it.  It has already been TLS 1.3 for a
few
years, it has been discussed in the tech community as TLS 1.3, researchers
have
published papers about TLS 1.3, there's probably already the marketing
material
with TLS 1.3 out there.  The code that refers to it as TLS 1.3 will probably
end up being referring to it as 1.3 for approximately forever, even if all
the
implementers had been enthusiastic about renaming it, because refactoring is
high-cost and low-priority, and may not be even possible if you've already
exposed it via the ABI.  The old name will never die, and it will be a
burden
to anyone in this community, making confusing versioning scheme even more
confusing.  It will probably leak outside of it too, and instead of (2), we
will end up getting

SSL 2 -> SSL 3 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3 = TLS 4
 (4)

which seems strictly more confusing than (1) in any way.

tl;dr: the only way to minimze confusion at this point is to not change
anything.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Ilari Liusvaara]

On Sat, Nov 19, 2016 at 02:41:04AM +, Peter Gutmann wrote:
> Replying to several messages at once to save space:
> 
> Ilari Liusvaara:
> 
> >One can downnegotiate TLS 1.3 to TLS 1.2.
> 
> Ah, you're obviously a fan of Steve Wozniak humour.  When someone asked him
> whether it was possible to upgrade from an Apple II+ to an Apple IIe, he
> similarly said "yes, you unplug the power cable from the II+, throw it away,
> and plug the IIe into the newly-vacated power cable".

Nope, I was referring to the very technical property that if client sends
a TLS 1.3 handshake, a TLS 1.2 server can still successfully interop,
provoded that the client does TLS 1.2 too (which I think every TLS client
known to support TLS 1.3 except Picotls does).

The last major version bump, SSLv2->SSLv3, this was NOT true. SSLv2
server would barf upon receiving SSLv3 client hello (TLS 1.0 was
clearly "SSL v3.1" internally).

And folks could think that kind of downnegotiation wasn't the case
given major version bump. Such would cause confusion much much worse
than confusing the ordering of TLS and SSL versions.


-Ilari

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Woodhouse]

On Fri, 2016-11-18 at 13:19 -0800, Vlad Krasnov wrote:
> > Well, for example, your website has twice as many mentions of SSL
> > as TLS.  Why?  Why don't you have a product called "Universal TLS"?
> > The ratio is the same for letsencrypto.org. TLS 1.0 had already
> > existed for more then a decade before either place existed.  BTW,
> > at google, it's 20:1, and that's just google, not the web.  (Counts
> > were done in the obvious dumb way "site:letsencrypt.org tls" and
> > then with "ssl" and noting the summary stats at the top of the
> > return results.) 
> > 
> > People are confused because we treat them as the same thing. 
> 
> Well, if the result of the confusion would be people *disabling* TLS
> 1.* in favor of SSL 3.0, they would discover very quickly what is
> TLS, and why no major browser works for them.

We already have a bunch of confusion around "SSL" vs. "TLS". Many mail
clients seems to allow you to configure SMTP/IMAP servers to be
accessed over "SSL", which means TLS, or "TLS", which means it connects
in the clear and then negotiates an upgrade with STARTTLS.

-- 
dwmw2


smime.p7s
Description: S/MIME cryptographic signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Vlad Krasnov  writes:

>Second: I don’t think that the changes between TLS 1.3 and TLS 1.2 are
>considered a major: just look at the difference between HTTP/2 and HTTP/1 -
>those are completely different protocols.

So are TLS 1.x and "1.3".  It'd be interesting to hear from other implementers
on this, but my secure-tunnel code consists of a high-level framework that
handles things at an abstract level, client hello, server hello, keyex, keyex-
auth, finished, and subsequent stuff, and that's the same for both TLS and SSH
(I use TLS names for consistency, but SSH does the same things under its own
names).  The bit-bagging for the two is obviously quite different, but the
high-level handling is taken from the same code.

For "1.3" I looked at what it'd take to bolt it onto the side of the other 1.x
code and it'd end up as this weird hermaphrodite mixture with huge amounts of
effort devoted to trying to track whether it's meant to be acting as 1.x or
"1.3", with the accompanying opportunity for problems if I miss something and
drop from 1.x to "1.3" or the other way round.  The easiest way to implement
it is as a new protocol, trying to pretend that 1.x and "1.3" are the same
thing just leads to an implementation nightmare when you have to keep the two
distinct.

So at least from this implementation's point of view, they're different
protocols.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Peter Gutmann]

Replying to several messages at once to save space:

Ilari Liusvaara:

>One can downnegotiate TLS 1.3 to TLS 1.2.

Ah, you're obviously a fan of Steve Wozniak humour.  When someone asked him
whether it was possible to upgrade from an Apple II+ to an Apple IIe, he
similarly said "yes, you unplug the power cable from the II+, throw it away,
and plug the IIe into the newly-vacated power cable".

Christian Huitema:

>I prefer TLS 1.3, because is signals continuity with the ongoing TLS
>deployment efforts.

Maybe it's just me, but wouldn't the fact that they're both called TLS sort of
indicate that there's continuity there?

Dave Kern:

>I'm in favor of TLS 4, and ignoring the minor version number (in the friendly
>text string, not the protocol field) moving forward.

That's actually a good point, "TLS 4" provides a single, clean number for people
to remember.  Even a CTO or auditor should be able to get that one right without
having to look up a table in a book to see that 1.3 > v3.

Peter.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Kazuho Oku]

2016-11-19 7:32 GMT+09:00 Eric Mill :

> It seems like TLS 2 and TLS 2.0 have very little support, so it's really
> just deciding between:
>
> TLS 1.3
> TLS 4 (or maybe 4.0)
>
>
I oppose to going to TLS 4, due to the following reasons:

* it might give people false notion that  SSL 2.0, 3.0 is superior to TLS
1.0-1.2
* if name the new protocol TLS 1.3, 2.0, or 2, then there would be no
confusion once SSL goes away. However, if we name the new version TLS 4,
then people would (for upcoming tens of years) continue to ask where TLS 2
and TLS 3.


> I'll just amplify Rich's and djb's points by noting that the cost of
> switching away from TLS 1.3 really only affects a very small number of
> people -- really just the people in and around this WG.
>
> There is a much, much larger universe of people who will make deployment
> and implementation decisions, with varying attention span and degrees of
> skill, and I think they're best served with a clean start of an unambiguous
> version number. Just because it feels uncomfortable to us doesn't mean it
> will feel uncomfortable to the larger technical/enterprise community who
> don't really *care* about the versioning scheme, they just need to make
> some decisions and move on.
>
> -- Eric
>
> On Fri, Nov 18, 2016 at 1:07 PM, D. J. Bernstein  wrote:
>
>> The largest number of users have the least amount of information, and
>> they see version numbers as part of various user interfaces. It's clear
>> how they will be inclined to guess 3>1.3>1.2>1.1>1.0 (very bad) but
>> 4>3>1.2>1.1>1.0 (eliminating the problem as soon as 4 is supported).
>>
>> We've all heard anecdotes of 3>1.2>1.1>1.0 disasters. Even if this type
>> of disaster happens to only 1% of site administrators, it strikes me as
>> more important for security than any of the arguments that have been
>> given for "TLS 1.3". So I would prefer "TLS 4".
>>
>> Yes, sure, we can try to educate people that TLS>SSL (but then we're
>> fighting against tons of TLS=SSL messaging), or educate them to use
>> server-testing tools (so that they can fix the problem afterwards---but
>> I wonder whether anyone has analyzed the damage caused by running SSLv3
>> for a little while before switching the same keys to a newer protocol),
>> and hope that this education fights against 3>1.3 more effectively than
>> it fought against 3>1.2. But it's better to switch to a less error-prone
>> interface that doesn't require additional education in the first place.
>>
>> ---Dan
>>
>> ___
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>
>
> --
> konklone.com | @konklone 
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>


-- 
Kazuho Oku
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[David Adrian]

I recognize I don't participate on this list very often, but I also agree
with TLS 4.0 and Dan's argument. I teach an undergraduate security course
at Michigan; students have enough trouble keeping track of SSL vs TLS
versions as it is. Jumping to 4.0 allows us to end this versioning debacle
now.

On Fri, Nov 18, 2016 at 6:04 PM Nick Sullivan 
wrote:

> If we decide to move to some numeral higher than 3 to avoid confusion, I
> recommend *TLS 4*, but urge people to tell the story of the name in a way
> that retains some sense of continuity and logic.
>
> Here's a framing that makes sense:
>
> *TLS 4 is the fourth version of TLS*
> This framing will tell a positive message of progression, rather than
> embody a condescending message such as "we gave it this name because people
> aren't able to understand that TLS 1.3 is newer than SSL 3". It will also
> immediately make sense to people who were exposed to the marketing around
> Windows 7.
>
> Without this framing, TLS 4 (or 4.0) will seem like a confusing choice.
>
> (for the record, I'm still for TLS 1.3)
>
> On Fri, Nov 18, 2016 at 11:13 AM Sean Turner  wrote:
>
> At IETF 97, the chairs lead a discussion to resolve whether the WG should
> rebrand TLS1.3 to something else.  Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
> .
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> - Rebrand TLS 2.0
> - Rebrand TLS 2
> - Rebrand TLS 4
>
> by 2 December 2016.
>
> Thanks,
> J
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Nick Sullivan]

If we decide to move to some numeral higher than 3 to avoid confusion, I
recommend *TLS 4*, but urge people to tell the story of the name in a way
that retains some sense of continuity and logic.

Here's a framing that makes sense:

*TLS 4 is the fourth version of TLS*
This framing will tell a positive message of progression, rather than
embody a condescending message such as "we gave it this name because people
aren't able to understand that TLS 1.3 is newer than SSL 3". It will also
immediately make sense to people who were exposed to the marketing around
Windows 7.

Without this framing, TLS 4 (or 4.0) will seem like a confusing choice.

(for the record, I'm still for TLS 1.3)

On Fri, Nov 18, 2016 at 11:13 AM Sean Turner  wrote:

At IETF 97, the chairs lead a discussion to resolve whether the WG should
rebrand TLS1.3 to something else.  Slides can be found @
https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf
.

The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
rebrand it to TLS 2.0, TLS 2, or TLS 4.  We need to confirm this decision
on the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4

by 2 December 2016.

Thanks,
J
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eric Mill]

It seems like TLS 2 and TLS 2.0 have very little support, so it's really
just deciding between:

TLS 1.3
TLS 4 (or maybe 4.0)

I'll just amplify Rich's and djb's points by noting that the cost of
switching away from TLS 1.3 really only affects a very small number of
people -- really just the people in and around this WG.

There is a much, much larger universe of people who will make deployment
and implementation decisions, with varying attention span and degrees of
skill, and I think they're best served with a clean start of an unambiguous
version number. Just because it feels uncomfortable to us doesn't mean it
will feel uncomfortable to the larger technical/enterprise community who
don't really *care* about the versioning scheme, they just need to make
some decisions and move on.

-- Eric

On Fri, Nov 18, 2016 at 1:07 PM, D. J. Bernstein  wrote:

> The largest number of users have the least amount of information, and
> they see version numbers as part of various user interfaces. It's clear
> how they will be inclined to guess 3>1.3>1.2>1.1>1.0 (very bad) but
> 4>3>1.2>1.1>1.0 (eliminating the problem as soon as 4 is supported).
>
> We've all heard anecdotes of 3>1.2>1.1>1.0 disasters. Even if this type
> of disaster happens to only 1% of site administrators, it strikes me as
> more important for security than any of the arguments that have been
> given for "TLS 1.3". So I would prefer "TLS 4".
>
> Yes, sure, we can try to educate people that TLS>SSL (but then we're
> fighting against tons of TLS=SSL messaging), or educate them to use
> server-testing tools (so that they can fix the problem afterwards---but
> I wonder whether anyone has analyzed the damage caused by running SSLv3
> for a little while before switching the same keys to a newer protocol),
> and hope that this education fights against 3>1.3 more effectively than
> it fought against 3>1.2. But it's better to switch to a less error-prone
> interface that doesn't require additional education in the first place.
>
> ---Dan
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
konklone.com | @konklone 
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

>In the end, it's just a label.

And some folks here have tried to explain why labels matter.  If you don't find 
those arguments compelling, that's fine.  But if it's really "just" a label to 
you, then I'll assume we've seen your last post on this thread? :)
 
--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Martin Thomson]

On 18 Nov 2016 21:10, "Peter Gutmann"  wrote:
> Which is kind of odd, because the consensus on the list when it was
debated
> here a while back was to not call it 1.3.

Some of us stayed quiet for that conversation. I might speculate that it
was because it wasn't a constructive discussion.

In the end, it's just a label.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Julien ÉLIE]

Hi all,


The consensus in the room was to leave it as is, i.e., TLS1.3, and
tonot rebrand it to TLS 2.0, TLS 2, or TLS 4. We need to confirm this
decision on the list so please let the list know your top choice between:

- Leave it TLS 1.3
- Rebrand TLS 2.0
- Rebrand TLS 2
- Rebrand TLS 4


Is there a reason why TLS 4.0 was not proposed?

I would indeed vote for TLS 4.0 (I believe minor versions are useful to 
keep; bumping the major version should occur only when there are 
disruptive changes).
TLS 4.0 gives people a stronger signal that it is a "must-have" 
(compared to 1.3), and prevent people from being confused by SSL 2 and 3.



P.-S.:  I would also suggest to use the TLS 1.3 name for "TLS 1.2 LTS".

--
Julien ÉLIE

« Ce que j'aime chez vous, c'est que vous savez jusqu'où on va trop
  loin. » (Cocteau)

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Vlad Krasnov]

> People changing browser settings?  Really?

I was thinking about site admins.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Eftychios Theodorakis]

It is imprinted in people's mind that minor version numbering = small
improvements and compatibility. People for better or worse see a minor
version as minor improvements and often disregard them considering the
effort versus the payout - even if that is a single configuration change.
That's how they learned from non security related projects.

> I prefer TLS 1.3, because is signals continuity with the
> ongoing TLS deployment efforts.

The alternative suggestion (4) also signals the ongoing efforts. True it
does hint on possible incompatibility; but is this not an honest versioning
then?

I think educating people is a good cause, but that's not enough. One has to
account for all the real life anecdotes mentioned above. If people were
good and fully informed decision makers there would not be a need for "do
not press this red button" signs.

I am not sure what will end up being the better version, but I am certain
that 1.3 will be disregarded as a minor change - it is not. My suggestion
is for TLS 4.


2016-11-18 10:07 GMT-08:00 D. J. Bernstein :

> The largest number of users have the least amount of information, and
> they see version numbers as part of various user interfaces. It's clear
> how they will be inclined to guess 3>1.3>1.2>1.1>1.0 (very bad) but
> 4>3>1.2>1.1>1.0 (eliminating the problem as soon as 4 is supported).
>
> We've all heard anecdotes of 3>1.2>1.1>1.0 disasters. Even if this type
> of disaster happens to only 1% of site administrators, it strikes me as
> more important for security than any of the arguments that have been
> given for "TLS 1.3". So I would prefer "TLS 4".
>
> Yes, sure, we can try to educate people that TLS>SSL (but then we're
> fighting against tons of TLS=SSL messaging), or educate them to use
> server-testing tools (so that they can fix the problem afterwards---but
> I wonder whether anyone has analyzed the damage caused by running SSLv3
> for a little while before switching the same keys to a newer protocol),
> and hope that this education fights against 3>1.3 more effectively than
> it fought against 3>1.2. But it's better to switch to a less error-prone
> interface that doesn't require additional education in the first place.
>
> ---Dan
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> Well, if the result of the confusion would be people *disabling* TLS 1.* in
> favor of SSL 3.0, they would discover very quickly what is TLS, and why no
> major browser works for them.

People changing browser settings?  Really?

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Vlad Krasnov]

> Well, for example, your website has twice as many mentions of SSL as TLS.  
> Why?  Why don't you have a product called "Universal TLS"? The ratio is the 
> same for letsencrypto.org. TLS 1.0 had already existed for more then a decade 
> before either place existed.  BTW, at google, it's 20:1, and that's just 
> google, not the web.  (Counts were done in the obvious dumb way 
> "site:letsencrypt.org tls" and then with "ssl" and noting the summary stats 
> at the top of the return results.) 
> 
> People are confused because we treat them as the same thing. 

Well, if the result of the confusion would be people *disabling* TLS 1.* in 
favor of SSL 3.0, they would discover very quickly what is TLS, and why no 
major browser works for them.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Salz, Rich]

> First: where can we see the study that proves people are indeed confused
> that TLS > SSL? I don’t buy into that. Are people really confused after 17 
> years
> of TLS?

Well, for example, your website has twice as many mentions of SSL as TLS.  Why? 
 Why don't you have a product called "Universal TLS"? The ratio is the same for 
letsencrypto.org. TLS 1.0 had already existed for more then a decade before 
either place existed.  BTW, at google, it's 20:1, and that's just google, not 
the web.  (Counts were done in the obvious dumb way "site:letsencrypt.org tls" 
and then with "ssl" and noting the summary stats at the top of the return 
results.) 

People are confused because we treat them as the same thing. 

> Third: There was *some* marketing on TLS 1.3, and changing the name now
> will just tell the public the WG is confused and doesn’t know what its doing.

The public has no idea what the WG is.

Listen to the non-developers who have posted here.  Version numbers matter to 
low-information decision makers, who need something quick and simple to grab on 
to.  It's silly, but so is the real world.  TLS 4 or TLS 4.0  The technology 
will get more exposure as the trade press explains why the new version number 
-- it's so much more secure than what we've had before -- and therefore the 
"new TLS" will get more mindshare.  And therefore adoption will be more rapid.  
That's what we want, right?  Or are we satisfied with just letting two 
browser's canary builds pull the entire Internet forward?

Yes it wil be inconvenient.  Suck it up, buttercup.  At the IETF this week we 
had people telling people from an entire industry segment "too bad, this is the 
right thing to do; adapt."  (I exaggerate for effect here.)  And now we're 
going to confuse the world because we can't change the name of a GitHub repo, a 
few #define's in source, and maybe a Wikipedia page? 
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Deb Cooley]

+1 for TLS 1.3 anything else is confusing to everybody (the term 'SSL' is
still very common in the layman vocabulary)

That said, if I had to pick a second choice, then TLS4 would be my choice.

Deb Cooley

On Fri, Nov 18, 2016 at 3:26 PM, Joseph Birr-Pixton 
wrote:

> For what it's worth I would prefer TLS4.
>
> Cheers,
> Joe
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Joseph Birr-Pixton]

For what it's worth I would prefer TLS4.

Cheers,
Joe

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[Vlad Krasnov]

First: where can we see the study that proves people are indeed confused that 
TLS > SSL? I don’t buy into that. Are people really confused after 17 years of 
TLS?

Second: I don’t think that the changes between TLS 1.3 and TLS 1.2 are 
considered a major: just look at the difference between HTTP/2 and HTTP/1 - 
those are completely different protocols.

Most of TLS 1.3 could be implemented on top of TLS 1.2 with extensions (the way 
it really looks, if you consider even client_version remains the same).

Third: There was *some* marketing on TLS 1.3, and changing the name now will 
just tell the public the WG is confused and doesn’t know what its doing.

I vote for TLS 1.3.


> On 18 Nov 2016, at 10:07, D. J. Bernstein  wrote:
> 
> The largest number of users have the least amount of information, and
> they see version numbers as part of various user interfaces. It's clear
> how they will be inclined to guess 3>1.3>1.2>1.1>1.0 (very bad) but
> 4>3>1.2>1.1>1.0 (eliminating the problem as soon as 4 is supported).
> 
> We've all heard anecdotes of 3>1.2>1.1>1.0 disasters. Even if this type
> of disaster happens to only 1% of site administrators, it strikes me as
> more important for security than any of the arguments that have been
> given for "TLS 1.3". So I would prefer "TLS 4".
> 
> Yes, sure, we can try to educate people that TLS>SSL (but then we're
> fighting against tons of TLS=SSL messaging), or educate them to use
> server-testing tools (so that they can fix the problem afterwards---but
> I wonder whether anyone has analyzed the damage caused by running SSLv3
> for a little while before switching the same keys to a newer protocol),
> and hope that this education fights against 3>1.3 more effectively than
> it fought against 3>1.2. But it's better to switch to a less error-prone
> interface that doesn't require additional education in the first place.
> 
> ---Dan
> 
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Confirming consensus: TLS1.3->TLS*

[D. J. Bernstein]

The largest number of users have the least amount of information, and
they see version numbers as part of various user interfaces. It's clear
how they will be inclined to guess 3>1.3>1.2>1.1>1.0 (very bad) but
4>3>1.2>1.1>1.0 (eliminating the problem as soon as 4 is supported).

We've all heard anecdotes of 3>1.2>1.1>1.0 disasters. Even if this type
of disaster happens to only 1% of site administrators, it strikes me as
more important for security than any of the arguments that have been
given for "TLS 1.3". So I would prefer "TLS 4".

Yes, sure, we can try to educate people that TLS>SSL (but then we're
fighting against tons of TLS=SSL messaging), or educate them to use
server-testing tools (so that they can fix the problem afterwards---but
I wonder whether anyone has analyzed the damage caused by running SSLv3
for a little while before switching the same keys to a newer protocol),
and hope that this education fights against 3>1.3 more effectively than
it fought against 3>1.2. But it's better to switch to a less error-prone
interface that doesn't require additional education in the first place.

---Dan

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls