RE: Busted TLS Schedule, and a Proposal for Closure

Christopher:

Your mail finally addresses the issue of change control.  So, what is the 
incremental value of  "adopting SSL as is"  as an IETF standard without any 
schedule of work beyond December?

Whether you agree to call it consensus or not, there has been progress in 
this working group on password authentication.  Other people obviously want 
it too, and we're prepared to submit an RFC along with independent 
implementations of working code.

When and how do you (or better yet, one of the authors you cite) propose 
that we incorporate it?   What about the other features/extensions/ 
cleanups that have been proposed? As you may recall, I absolutely agreed 
with using SSL3 as the base.   It's the de facto standard now.  So, why not 
at least try to improve it in some way, rather than wasting everybody's 
time merely to rename it?

I offer the counter proposal that we all agree to a much more realistic 
schedule - say March or June IETF - for getting what would be a real TLS 
proposal with several improvements and multiple implementations on the 
table for consideration.

Barb

----------
From:  Christopher Allen[SMTP:ChristopherA@consensus.com]
Sent:  Wednesday, October 16, 1996 11:24 AM
To:  ietf-tls@w3.org
Cc:  Win Treese; Jeff Schiller
Subject:  Busted TLS Schedule, and a Proposal for Closure

In the minutes for the previous TLS-WG meeting in Montreal (at
<http://lists.w3.org/Archives/Public/ietf-tls/msg00217.html> and
<http://lists.w3.org/Archives/Public/ietf-tls/msg00212.html>) it says:

>7/30/96 All issues on the table, with justifications why they
>               are important. On or about 8/2/96, I will post a
>               summary of where we are. Some issues may be
>               accepted or rejected in ensuing discussion during July.
>
>8/31/96 Proposed text/detailed descriptions for proposals due.
>
>9/30/96: Discussion on list of what we should move forward with.
>
>Early October: document editors/authors meet to hash out
>the text. (Exact set to be determined)
>
>Mid-October: discussion draft available for review.
>
>November: discussion on the list, organization of issues remaining
>for discussion at the San Jose meeting.
>
>December: meet in San Jose.
>
>I also propose that we limit discussion of this proposal to conclude
>by Friday, 7/12, so we don't get bogged down in process discussions.

As I recall there were only two technical proposals on the table in August
and September (both of which I think were late), Netscape's authority
attributes, and Microsoft's secret key authentication. I have not seen on
this list sufficient consensus to move forward on either of them.

I would like to suggest to Win Treese, the TLS-WG chairman, that we table
the two proposals for now, and settle on moving SSL 3.0 into TLS 1.0 *as
is*, however, with some clarifications to the spec.

I would like to see that early in November a small group of engineers who
have actually *implemented* SSL 3.0 get together with the current SSL 3.0
authors to clarify the spec. *Not* change the spec, only clarify any
ambiguities (we have found in writing SSLRef 3.0, SSL Plus, and an SSL
Fortezza implemenation a number of ambiguities, and I'm sure others have 
as
well.)

This cleaned up spec would be called TLS 1.0 and published as an internet
draft for final comments in time for the December IETF meeting in San 
Jose.

SSL 3.0 is already widely deployed. Both Microsoft and Netscape have it 
now
in their browsers and servers, and many other companies now have SSL 3.0
browsers, web servers, and non-web application under development with SSL
3.0.

Thus I believe that is appropriate that the continued revisions of the SSL
3.0 standard move to IETF change control, and it's authors seem willing to
allow it to do so. Given this I think SSL 3.0 is an appropriate starting
point for IETF and TLS-WG, and that the the TLS-WG should ratify it with
the ambiguities cleaned up.

From that solid base we can move toward TLS 1.1, which then might include
Microsoft's and Netscape's proposals.

------------------------------------------------------------------------
..Christopher Allen                  Consensus Development Corporation..
..<ChristopherA@consensus.com>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  SSL 3.0 Integration Suite(tm)" <http://www.consensus.com/SSLPlus/>..

Received on Thursday, 17 October 1996 23:44:28 UTC