On Fri, Dec 02, 2016 at 02:17:24PM +0000, Ackermann, Michael wrote:
> In Enterprise circles TLS is an unknown acronym and as painful as it
> is, we must usually refer to it as SSL, before anyone knows what we
> are talking about. Software products are guilty too. Parameter
> fields frequently reference SSL. :(
Actually there is a large variety in what I encounter (I work in a big
financial institution, and I have gone through other big organisations).
Some will just know "SSL" and talk about SSL for all protocols in the
"SSL" family (which so far includes SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
and TLS 1.2).
Some will use "SSL" for SSL 2.0 and SSL 3.0, and "TLS" for the TLS 1.x
versions. They then ban "SSL" and want to enforce "TLS". When they
encounter regulations that say "don't use TLS 1.0, only TLS 1.1+", they
get confused.
Some people and software interfaces use "SSL vs TLS" in a completely
different way, in the context of protocols like IMAP or FTPS: they use
"SSL" to mean "SSL handshake first, then protocol inside it", and "TLS"
to mean "protocol first and a STARTTLS command". This distinction is
orthogonal to protocol versions.
Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates". In a similar vein, the 'S' in 'HTTPS' does
_not_ mean "SSL", but not many people know that.
When I encounter someone who knows the differences between all versions,
then I am in front of a mirror. The taxonomy is confused and
complicated, and people who are maniacal enough to learn and remember it
are very rare.
If we look at what Microsoft did when it encountered the same kind of
terminology mess, it decided that the number following 2000 was "XP".
Lately, for server versions, Microsoft uses a year-based numbering,
and even so, they depart from it at times, e.g. when they decided that
"2009" was really "2008R2".
In practice, people don't have problem with gaps in numbering; they
are even eager to _create_ gaps when convenient, for instance by
not acknowledging the existence of Windows Vista.
So my conclusion is that terminology is essentially fluid and chosen by
people in the field, without any form of concertation and with a trend
toward simplification: the _operational_ notion is to lump versions into
two groups, the ones that must be used and the ones that must not be
used. There is about nothing IETF can do about it (though a really
poorly chosen name might increase confusion even further). The only
naming scheme which is kinda coherent is the numbering scheme on the
wire (3.0, 3.1...), and even that one fails to capture SSL 2.0 (which is
in fact 0.2 on the wire).
--Thomas Pornin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
