Re: which to implement? from Phil Karlton on 1996-05-09 (ietf-tls@w3.org from April to June 1996)

From: Phil Karlton <karlton@netscape.com>
Date: Thu, 09 May 1996 14:37:13 -0700
To: Bennet Yee <bsy@cs.ucsd.edu>
Cc: Tom Stephens <tomste@microsoft.com>, "'Rodney Thayer'" <rodney@sabletech.com>, "'pcttalk@ftp.com'" <pcttalk@ftp.com>, "'ietf-tls@w3.org'" <ietf-tls@w3.org>
Message-Id: <31926588.59E2@netscape.com>

Bennet Yee wrote:
> 
> In message <3191A44E.167E@netscape.com>, Phil Karlton writes:
> >
> > In what way is SSL 3 not open?
> 
> AFAIK, the feature set was determined almost solely by Netscape.

Let me correct that assumption. Features are in SSL 3 that Netscape has
no plans to use. They are there because those that involved themselves
in the early design asked for them. (For instance, the anonymous
Diffie-Helman key exchange is in there to support protocols where MITM
attacks are not an issue.)

Public responses to the initial sketches for SSL 3 were coming in as
early as August, 1995.

Microsoft has had copies of the spec since at least November, 1995.
There was been no feedback from Microsoft (asking questions or making
suggestions) until a completely rewritten spec showed up the month after
final SSL 3.0 spec went out.

> Certainly, we
> need to decide how much attention we, as an IETF working group rather
> than as workers for some particular company or as academics, should be
> pay to the (cost of the) effort already spent.  If we pay too much
> attention to it, then we might as well disband the working group and
> just adopt SSLv2.  (Or 3.  Or PCTv1 or 2.  Pick your own poison.)

I disagree. The output of this working group will not be a protocol that
gets picked once in 1996 and never changes. Even before the March draft
was finished, consideration was being given as to what was needed for
3.1. (Support for attribute certificates was high on that list.) It
would be good if this group was driving that process.

What I am arguing for is to take SSL 3.0 as a base and to grow it with
the features that are needed. Dropping a 35 page counter-proposal onto
the table containing changes ranging from UDP support to password
authentication means that efforts will not be focused on the respective
ideas.

> Please be careful about your terminology.  A "covert channel" has a
> very specific meaning to people working in security, and I don't think
> that meaning is what you intended.

I apologize for using the wrong word at 1:00 am.

PK
--
Philip L. Karlton		karlton@netscape.com
Principal Curmudgeon		http://home.netscape.com/people/karlton
Netscape Communications

     They that can give up essential liberty to obtain a little
     temporary safety deserve neither liberty nor safety.
		- Benjamin Franklin

Received on Thursday, 9 May 1996 17:38:37 UTC