On 02/12/16 03:35, David Benjamin wrote:
> In hindsight, renaming SSL 3.1 was a terrible mistake.
IIRC that was sort-of a condition for adoption of the work
in the IETF 20 years ago, when there were two different
protocols already being deployed and the proponents of one
of them said "we'll use
Stephen Farrell writes:
>IIRC that was sort-of a condition for adoption of the work in the IETF 20
>years ago, when there were two different protocols already being deployed and
>the proponents of one of them said "we'll use that other one (SSL) but you
>gotta change the name of the standard or w
> On 2 Dec 2016, at 10:33, Peter Gutmann wrote:
>
> Stephen Farrell writes:
>
>> IIRC that was sort-of a condition for adoption of the work in the IETF 20
>> years ago, when there were two different protocols already being deployed and
>> the proponents of one of them said "we'll use that othe
Yoav Nir writes:
>The way I’ve heard it “SSL” is a registered trademark owned by Netscape (now
>AOL), so we can’t use it unless AOL lawyers sign off on that. It might be
>wrong, but if it’s true - good luck with that.
http://tmsearch.uspto.gov/bin/showfield?f=toc&state=4810%3Ajoxwrl.1.1&p_search
On 2 December 2016 at 09:22, Yoav Nir wrote:
>
>> On 2 Dec 2016, at 10:33, Peter Gutmann wrote:
>>
>> Stephen Farrell writes:
>>
>>> IIRC that was sort-of a condition for adoption of the work in the IETF 20
>>> years ago, when there were two different protocols already being deployed
>>> and
>>
On Friday, 2 December 2016 03:12:41 CET Peter Gutmann wrote:
> Tony Arcieri writes:
> >There's already ample material out there (papers, presentations, mailing
> >list discussions, etc) which talks about "TLS 1.3".
>
> In other words, the TLS WG and a small number of people who interact with it
>
> People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's
> logical
> that SSL 1.3 continues that trend. creating "SSL" 4 will bring more confusion.
Please explain that assertion.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter:
Rich, I don't think there is any explanation that can be given for the
assertion without collecting a lot of data. That said, the objection
makes sense to me. I certainly think of SSL as poison. Of course,
the average Joe on the street doesn't even know what TLS stands for,
but the people who
Nobody knows the difference tween 1.0 1.1 1.2
SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that
everyone, including our industry, uses. If someone sees "TLS 1.2" and thinks
"wow, that's so much worse than SSL 4 because the number is so much smaller,"
then isn't that a go
On Friday, 2 December 2016 13:47:20 CET Salz, Rich wrote:
> > People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's
> > logical that SSL 1.3 continues that trend. creating "SSL" 4 will bring
> > more confusion.
>
> Please explain that assertion.
SSL 2 < SSL 3 < "SSL" 1.0 < "SSL"
"Salz, Rich" writes:
People already know that SSL3 is worse than "SSL" 1.0 though 1.2 , it's logical
that SSL 1.3 continues that trend. creating "SSL" 4 will bring more confusion.
Please explain that assertion.
I was going to ask that too, the quoted text seems..., well, gibberish to me.
On Friday, 2 December 2016 14:04:36 CET Salz, Rich wrote:
> Nobody knows the difference tween 1.0 1.1 1.2
>
> SSL 4 or SSL 4.0 is a bigger number than 1.x and uses the same term that
> everyone, including our industry, uses. If someone sees "TLS 1.2" and
> thinks "wow, that's so much worse than S
> SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
> ordering
So? Who cares? A couple-hundred people in the IETF. And the issue is that
SSL 3 < "SSL" 1.0 which is the issue no matter what we call what we're doing
here. And the quotes around the last SSL do not belo
+1 On Ted's comments.
In Enterprise circles TLS is an unknown acronym and as painful as it is, we
must usually refer to it as SSL, before anyone knows what we are talking
about.
Software products are guilty too. Parameter fields frequently reference SSL.
:(
-Original Message---
On Friday, 2 December 2016 14:12:38 CET Salz, Rich wrote:
> > SSL 2 < SSL 3 < "SSL" 1.0 < "SSL" 1.1 < "SSL" 1.2 < "SSL" 4 is not logical
> > ordering
>
> So? Who cares? A couple-hundred people in the IETF. And the issue is that
> SSL 3 < "SSL" 1.0 which is the issue no matter what we call what
On Fri, Dec 02, 2016 at 02:17:24PM +, Ackermann, Michael wrote:
> In Enterprise circles TLS is an unknown acronym and as painful as it
> is, we must usually refer to it as SSL, before anyone knows what we
> are talking about. Software products are guilty too. Parameter
> fields frequently
The bottom line is that this is an unanswerable question. My advice
is to not change the name, because I think more name changes = more
confusion and it is _way_ too late to put TLS back in the box. But
what do I know--I'm just an end user! :)
On Fri, Dec 2, 2016 at 9:42 AM, Hubert Kario wr
Hi all,
The point is we are now indeed on draft 18. Changing the name now is very
problematic because everybody on the mailinglist already calls it TLS 1.3,
for a long time and no matter what you do, a lot of us (who are hopefully
the experts) will keep referring to it under that name.
If you wan
On Fri 2016-12-02 03:33:21 -0500, Peter Gutmann wrote:
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?
fwiw, the industry (and stackexchange) uses "SSL" to mean all sorts of
things, not only TLS. Yesterday i got an e-m
> Here's a useful and effective meme for convincing bosses that it's ok to turn
> off SSLv3: all known versions of SSL are broken and should never be used.
> Please do not break this meme by trying to rename TLS to SSL.
Is "all known versions before SSL 4" that much worse?
___
On 02/12/16 14:53, Thomas Pornin wrote:
Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates".
It's worse than that. Many customers, and even some salespeople, seem
to think that we sell "SSLs".
--
Rob Stradling
Senior Research & Development Scient
On Friday, 2 December 2016 16:12:05 CET Salz, Rich wrote:
> > Here's a useful and effective meme for convincing bosses that it's ok to
> > turn off SSLv3: all known versions of SSL are broken and should never be
> > used. Please do not break this meme by trying to rename TLS to SSL.
>
> Is "all kn
Not that I can speak for the whole of Microsoft, but I would not drop TLS
support in Windows if it were renamed "SSL":).
However, "transport layer security" makes a lot more sense to me than "secure
sockets layer" because the latter seems to imply network socket-style API,
which is not a requir
(To clarify, I was not at all suggesting we go back to SSL. If we had a
time machine, I might make other suggestions, but as far as I know we do
not.)
On Fri, Dec 2, 2016 at 12:45 PM Andrei Popov
wrote:
> Not that I can speak for the whole of Microsoft, but I would not drop TLS
> support in Wind
> On 2 Dec 2016, at 19:58, David Benjamin wrote:
>
> (To clarify, I was not at all suggesting we go back to SSL. If we had a time
> machine, I might make other suggestions, but as far as I know we do not.)
Can’t we borrow one from tictoc?
___
TLS mai
Indeed, "all known versions of SSL are broken and should never be used" is what
I've been telling people for a while now...
-Original Message-
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Daniel Kahn Gillmor
Sent: Friday, December 2, 2016 6:36 AM
To: Peter Gutmann ; Stephen Farrel
+1 with Andrei.
"That SSL should never be used" is the one clear message we have so going
back to SSL would muddy those waters too much. Strong vote for staying
with TLS. It will become better known over time- especially with the
current enterprise push to deprecate all SSL versions from use
> On Dec 2, 2016, at 3:33 AM, Peter Gutmann wrote:
>
> If no-one from Microsoft has any objections, can we just rename it back to
> what it's always been for everyone but us, SSL?
I was with you up to this point, but I do think that going back to SSL is
not a good idea, and takes us off topic.
+2
On removing all references to SSL.
From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of darin.pet...@usbank.com
Sent: Friday, December 2, 2016 1:55 PM
To: Andrei Popov
Cc: TLS ;
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*
+1 with Andrei.
"That SSL should never be used" is the o
> Can’t we borrow one from tictoc?
Ever since they merged with NTP, it seems to be lost in a time loop and nobody
can find it.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
> after considering all of the good points that have been circulating, I would
> like to change my vote
Woah, are you new here? :)
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
* Sean Turner [18/11/2016 03:13:23] wrote:
> At IETF 97, the chairs lead a discussion to resolve whether the WG should
> rebrand TLS1.3 to something else. Slides can be found @
> https://www.ietf.org/proceedings/97/slides/slides-97-tls-rebranding-aka-pr612-01.pdf.
>
> The consensus in the room
Aaron Zauner wrote:
(of course I'd opt for SSLv5 just to mess with people).
I'm surprised nobody has yet suggested retroactive renaming:
SSLv4 == TLS 1.0
SSLv5 == TLS 1.1
SSLv6 == TLS 1.2
SSLv7 == TLS 1.3
Mike
___
TLS maili
I favor naming the result tls 1.3 - the X in 1.X has effectively become the
modern versioning field and we should stick with that road now as the best
of a bunch of weak options.
-Patrick
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/lis
Hubert Kario writes:
>speaking of confusion, do you know that e-mail clients by "SSL" mean
>"SSL/TLS" and by "TLS" mean "STARTTLS"? (note the port numbers)
>https://sils.unc.edu/it-services/email-faq/outlook
>https://mail.aegee.org/smtp/kmail.html
>https://sils.unc.edu/it-services/my-computer/ema
On Dec 2, 2016, at 4:10 PM, Peter Gutmann wrote:
> Ugh, how very geeky,
Really?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
Maarten Bodewes writes:
>The point is we are now indeed on draft 18. Changing the name now is very
>problematic because everybody on the mailinglist already calls it TLS 1.3,
>for a long time and no matter what you do, a lot of us (who are hopefully the
>experts) will keep referring to it under t
Viktor Dukhovni writes:
>I was with you up to this point, but I do think that going back to SSL is not
>a good idea, and takes us off topic.
It was just something to throw out there, and to point out that no matter what
the WG calls it, the rest of the world will keep calling it SSL. It's been
On Fri, Dec 2, 2016 at 1:21 PM, Peter Gutmann
wrote:
> The change was proposed long ago, and deferred by the chairs until now.
> This
> is just another variant of the inertia argument.
You keep dismissing this argument out of hand, but I think it has merit.
I think we can all admit the decisio
On Thu, Nov 17, 2016 at 6:12 PM, Sean Turner wrote:
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4. We need to confirm this decision
> on the list so please let the list know your top choice between:
>
> - Leave it TLS 1.3
> -
> On Dec 2, 2016, at 10:34 PM, Tony Arcieri wrote:
>
> The consensus in the room was to leave it as is, i.e., TLS1.3, and to not
> rebrand it to TLS 2.0, TLS 2, or TLS 4. We need to confirm this decision on
> the list so please let the list know your top choice between:
>
> - Leave it TLS 1.
On Fri, Dec 02, 2016 at 02:16:16PM -0800, Tony Arcieri wrote:
> On Fri, Dec 2, 2016 at 1:21 PM, Peter Gutmann
> wrote:
>
> > The change was proposed long ago, and deferred by the chairs until now.
> > This
> > is just another variant of the inertia argument.
>
>
> You keep dismissing this argum
On Fri, Dec 02, 2016 at 03:35:00AM +, David Benjamin wrote:
> I think TLS 4 makes everything worse, not better.
>
> In hindsight, renaming SSL 3.1 was a terrible mistake. But TLS 1.2 is going
> to exist for a long time. If we call the next one 4, we have to explain a
> gap in the versioning (1
On Fri, Dec 2, 2016 at 7:57 PM, Scott Schmit wrote:
> This draft has been in development since April 2014, 2.6 years ago.
> Over that time, the wire protocol has changed multiple times and
> incompatibly. So not even all of that 2.6 years of details is still
> applicable to the protocol we're go
44 matches
Mail list logo
