Re: which to implement? from Eric Murray on 1996-05-10 (ietf-tls@w3.org from April to June 1996)

From: Eric Murray <ericm@lne.com>
Date: Thu, 9 May 1996 19:02:10 -0700 (PDT)
To: bfox@microsoft.com (Barb Fox)
Cc: bsy@cs.ucsd.edu, karlton@netscape.com, tomste@microsoft.com, rodney@sabletech.com, pcttalk@ftp.com, ietf-tls@w3.org
Message-Id: <199605100202.TAA04936@slack.lne.com>

Barb Fox writes:
> 
> Phil:  
> 
> Well, at least this list is getting lively!  Let me try to address the 
> points you made in both your recent posts.  
> 
> First:  I know for a fact that Netscape solicited comments on SSLv3 
> pre-publication, as an Internet Draft, and moderated SSL-talk.

Actually, it's an open, not moderated, list.

>  There 
> were plenty of comments and many of these along with some of the work 
> we did with PCT are reflected in SSLv3.  ( I point specifically to 
> separation of MAC and encryption key lengths and a shorter, more 
> efficient handshake message flow which showed up in SSL after PCT was 
> published.)  But my real point is that what went in and what didn't was 
> primarily a Netscape decision.

For what it's worth, they were pretty open about accepting suggestions.
As one of the first (only?) people to attempt to implement the
original flawed SSLv3, I was able to make a number of suggestions.
The SSL people at Netscape took the good ones, and even managed to
accept the anonymous Diffie-Hellman that we asked them to include.

In addition, pointers to the spec was posted on the cypherpunks
list and comments were solicited from the list.   While the SSLv3
spec development wasn't as open as say an IETF standard, for a proprietary
standard there was a huge amount of outside input.

Because of this, and the large amount of outside review that SSLv3
has had, I would like to see it used as a base for the TLS standard.

I think that people from Microsoft, and many others, have made some
good suggestions for improvements and additions to SSLv3.
I think it would be useful to list all those suggestions in one place.
I will go back through the ietf-tls list mail I have, and the
other specs, and attempt to create such a list.

In addition, at the original BOF there were _three_ proposals
for a base for TLS- SSL, PCT, and SSH.  I haven't heard anything
about SSH on this list, and sadly I haven't had the time to research it.
Could someone who's familiar with it post it's features and what
features it has that might be improvements on SSLv3?

-- 
Eric Murray  ericm@lne.com  ericm@motorcycle.com  http://www.lne.com/ericm
PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF

Received on Thursday, 9 May 1996 22:21:16 UTC