Busted TLS Schedule, and a Proposal for Closure

In the minutes for the previous TLS-WG meeting in Montreal (at
<http://lists.w3.org/Archives/Public/ietf-tls/msg00217.html> and
<http://lists.w3.org/Archives/Public/ietf-tls/msg00212.html>) it says:

>7/30/96 All issues on the table, with justifications why they
>               are important. On or about 8/2/96, I will post a
>               summary of where we are. Some issues may be
>               accepted or rejected in ensuing discussion during July.
>
>8/31/96 Proposed text/detailed descriptions for proposals due.
>
>9/30/96: Discussion on list of what we should move forward with.
>
>Early October: document editors/authors meet to hash out
>the text. (Exact set to be determined)
>
>Mid-October: discussion draft available for review.
>
>November: discussion on the list, organization of issues remaining
>for discussion at the San Jose meeting.
>
>December: meet in San Jose.
>
>I also propose that we limit discussion of this proposal to conclude
>by Friday, 7/12, so we don't get bogged down in process discussions.

As I recall there were only two technical proposals on the table in August
and September (both of which I think were late), Netscape's authority
attributes, and Microsoft's secret key authentication. I have not seen on
this list sufficient consensus to move forward on either of them.

I would like to suggest to Win Treese, the TLS-WG chairman, that we table
the two proposals for now, and settle on moving SSL 3.0 into TLS 1.0 *as
is*, however, with some clarifications to the spec.

I would like to see that early in November a small group of engineers who
have actually *implemented* SSL 3.0 get together with the current SSL 3.0
authors to clarify the spec. *Not* change the spec, only clarify any
ambiguities (we have found in writing SSLRef 3.0, SSL Plus, and an SSL
Fortezza implemenation a number of ambiguities, and I'm sure others have as
well.)

This cleaned up spec would be called TLS 1.0 and published as an internet
draft for final comments in time for the December IETF meeting in San Jose.

SSL 3.0 is already widely deployed. Both Microsoft and Netscape have it now
in their browsers and servers, and many other companies now have SSL 3.0
browsers, web servers, and non-web application under development with SSL
3.0.

Thus I believe that is appropriate that the continued revisions of the SSL
3.0 standard move to IETF change control, and it's authors seem willing to
allow it to do so. Given this I think SSL 3.0 is an appropriate starting
point for IETF and TLS-WG, and that the the TLS-WG should ratify it with
the ambiguities cleaned up.

From that solid base we can move toward TLS 1.1, which then might include
Microsoft's and Netscape's proposals.

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..

Received on Wednesday, 16 October 1996 14:19:46 UTC