RE: which to implement? from Tom Stephens on 1996-04-27 (ietf-tls@w3.org from April to June 1996)

From: Tom Stephens <tomste@microsoft.com>
Date: Fri, 26 Apr 1996 19:13:15 -0700
To: "'Rodney Thayer'" <rodney@sabletech.com>
Cc: "'pcttalk@ftp.com'" <pcttalk@ftp.com>, "'ietf-tls@w3.org'" <ietf-tls@w3.org>
Message-Id: <c=US%a=_%p=msft%l=RED-88-MSG-960427021315Z-35066@tide21.microsoft.com>

>SSLv3 and PCTv2 are both PAPER protocols.  We're living with SSLv2 and
>PCTv1 in real code, and we all agree that's not good enough.  The
>purpose of this TLS working group is to come up with something more
>secure and more open, but I agree with Win and Taher that we need to be
>in Final Draft form by July to have an IETF standard in 1996.  This is
>critical to all of us so that we don't have to even think about what we
>implement.  "STLP" should be the Internet standard - so let's get
serious about what's in it, so we can all get on with the code.

>Do any of you want to sit down together for a day and work up an STLP
>draft to present to the whole working group before the IETF meeting in
>June?  There's some great discussion going on the list, but maybe a
>face-to-face meeting with anyone who is really interested could
>accelerate the process.  Any takers? I would be happy to schedule and
arrange for such a meeting if people are amenable.

Tom Stephens
Program Manager
Microsoft Corporation

>----------
>From: 	Rodney Thayer[SMTP:rodney@sabletech.com]
>Sent: 	Wednesday, April 24, 1996 3:12 AM
>To: 	Sean Dalby
>Cc: 	pcttalk@ftp.com; rodney@sabletech.com
>Subject: 	which to implement?
>
>netscape in the ssl3 spec claims it is going to deprecate ssl2
>
>yet ssl2 has a significant installed base and I'm not convinced it will
>go
>away the moment <something else> shows up, regardless of what the
>something
>else is.
>
>now there's the IETF activity too.
>
>and there's an other Microsoft protocol (can't remember it's name at
>the moment)
>
>and there's SHTTP which apparently has not yet disappeared -- although
>since
>you can't buy any browsers that support it maybe it's not really here
>yet.
>
>of course all this could become instantly irrelevant if for example
>Master
>Card started giving away free netscape plug-in's with their own
>encryption
>scheme.
>
>this all makes for a tough call on what to implement.  my personal
>conclusion,
>today, is:
>
>  1. reconsider decision continuously
>  2. do not implement ssl2 as netscape is going to desupport it soon
>  3. do not implement non-existant protocols (meaning SSL3, today.)
>  4. use a protocol known to be implement by others
>
>so today's answer ends up being PCT.  I really would rather do
>something
>with a genuine IETF process behind it but there is no such protocol
>today.
>Yes yes there is now an active process, and that's *GOOD*, but there
>ain't
>no code today.
>
>just my opinion...
>
>At 03:04 PM 4/16/96 -0600, you wrote:
>  ...
>
>                  Rodney Thayer           ::        
>rodney@sabletech.com
>                  Sable Technology Corp   ::              +1 617 332
>7292
>                  246 Walnut St           ::         Fax: +1 617 332
>7970     
>                  Newton MA 02160 USA     :: 
>http://www.shore.net/~sable
>                           "Developers of communications software"




>
>

Received on Friday, 26 April 1996 22:13:19 UTC