Re: Merged Transport Layer Protocol Development

There has indeed been some unfortunate confusion surrounding the
discussion paper, but it's difficult to comprehend some of the ideas
being bandied about lately - "sub-rosa" dealings, a Netscape-Microsoft
conspiracy to bypass the IETF ?!?, etc.

As I see it, two mistakes were made:
1 - the creation of two mailing lists, ietf-tls@w3.org and tls-draft@w3.org,
    when one would have been sufficient
2 - the discussion paper was widely distributed both by hardcopy and
    email to people who had previously commented on either SSL or PCT,
    but was not posted to either of the above lists nor to the SSL
    or PCT lists.

Tom Stephens has addressed both of these:

> To: "'ietf-tls@w3.org'" <ietf-tls@w3.org>
> Date: Fri, 19 Apr 1996 19:32:07 -0700
>
> However, since the consensus of the emails is to discuss the STLP
> strawman document on ietf-tls, then Microsoft does not object.  To
> facilitate the discussion, you can find the STLP strawman document at:  
> 
> http://pct.microsoft.com/stlp.  


But to further dispel any Watergate-type speculation ("What did he
know and when did he know it?"), here is the cover letter I received
with the original stlp paper.  The tone of the letter is clearly
inclusive, and may help to clear up any lingering misunderstandings.

My only criticism of this working group is that the chairman has
not yet taken an active role in moderating the discussion.  Perhaps
that will change soon.


----- Begin Included Message -----

From tomste@microsoft.com Fri Apr 12 20:11:57 1996
From: Tom Stephens <tomste@microsoft.com>
To: "'dpkemp@missi.ncsc.mil'" <dpkemp@missi.ncsc.mil>
Subject: Merged Transport Layer Protocol Development
Date: Fri, 12 Apr 1996 17:11:02 -0700

>Your input is needed for the creation of a new open transport-layer
>security protocol!
>
>Via the IETF, Microsoft and Netscape are working together to converge
>on a single open transport-layer security protocol, using the existing
>protocols (SSL, PCT, SSH - Secure Shell Remote Login) as a base. We're
>happy to be involved in this because we believe a single, open
>specification will benefit both developers and users.
>
>We're committed to making this convergence happen as quickly as
>possible, through the IETF process.  To help things move as quickly as
>possible, Microsoft has written a discussion draft called STLP (Secure
>Transport Layer Protocol).  The discussion draft is not a spec suitable
>for implementation; it's a starting point for a converged
>specification.   
>
>This draft starts with Netscape's SSL 3.0 and adds features from
>Microsoft's PCT 2.0 based on feedback from cryptographers and
>implementers.  It is intended to provide a simpler and more robust
>implementation, additional scalability, improved security and the
>additional functionality needed for wider application of the
>specification.  We're sending this draft to Netscape and to the firms
>who provided substantial input to SSL and to PCT.
>
>When the converged spec is finished, Microsoft will develop and
>distribute no-charge reference and object code versions which implement
>the converged spec.
>
>W3C has created two list servers to foster the STLP development:  
>
>ietf-tls@w3.org
>Ietf-tls@w3.org provides support for the Transport Layer Protocol
>Working Group.  To become a member of ietf-tls@w3.org, email
>ietf-tls@request@w3.org with the word "subscribe" in the subject line. 
>
>
>tls-draft@w3.org
>Tls-draft@w3.org was specifically created to foster discussion about
>the development of a new transport layer protocol.  The current plan
>calls for a draft document to be presented at the IETF Montreal
Conference in June.  As a result, the creation of a spec will move ahead
>very quickly, so it is very important that you post to this alias
>information about what you would like to see included in the new spec. 
>Please take the time to review the attached STLP document and post any
>comments you might have regarding features, present or missing, that
>you would like to see added to the new spec.  To join tls-draft@w3.org,
>send an mail to tls-draft-request@w3.org with the word "subscribe" in
>the subject line.
>
>Please also take a look at the PCT 2.0 spec.  It's available at
>http://pct.microsoft.com. Comments on PCT 2.0 are also welcomed.
>
>Security and privacy are important.  We're pleased to be working with
>other industry players to deliver a single spec for scaleable transport
>security with a broad range of functionality.
>
>Tom Stephens
>Program Manager
>Microsoft
>
>-----------------------------------------------------------------
>
>Secure Transport Layer Protocol discussion draft pertinent points:
>
>1.  It's not a spec, it's a discussion draft -- a starting point.
>
>2.  It uses SSL v3 as a base, and adds on top of that (mainly from PCT
>v2)
>
>3.  It suggests changes to the base protocol to make implementation
>simpler and more
>robust:  e.g. stronger error reporting, uniform message headers, etc.
>	
>4. Specific deltas from SSL v3 include:
>	- datagram support
>	- new keys and cipher specs allowed, supporting pre-encrypted data
>	- less long-term dependence on particular algorithms
>	- more information in alerts for robust error-handling
>	- improved handshaking, allows speed-up when the client has the
>server's key
>	- additional authentication options, including previously shared
>secrets
>- full specification of cert types and names for both clients and
>servers
>

[word and text attachments deleted - dpk]

----- End Included Message -----

Received on Monday, 22 April 1996 16:32:22 UTC