RE: Busted TLS Schedule, and a Proposal for Closure

At 8:44 PM -0700 10/17/96, Barb Fox wrote:
>Your mail finally addresses the issue of change control.  So, what is the
>incremental value of  "adopting SSL as is"  as an IETF standard without any
>schedule of work beyond December?

I think that it is fine for us to start scheduling now for work beyond
December -- but I don't think it should stop us from doing what can be done
to get TLS 1.0 out that meets the state of the art.

>Whether you agree to call it consensus or not, there has been progress in
>this working group on password authentication.  Other people obviously want
>it too, and we're prepared to submit an RFC along with independent
>implementations of working code.

I think the password authentication stuff should be on the schedule -- but
when you include the idea that there needs to be some implementation of it
(preferably multiple) before it can be truely a "standard", then deployment
TLS as a standard which does currently have multiple implementations
shouldn't wait for it.

>When and how do you (or better yet, one of the authors you cite) propose
>that we incorporate it?   What about the other features/extensions/
>cleanups that have been proposed? As you may recall, I absolutely agreed
>with using SSL3 as the base.   It's the de facto standard now.  So, why not
>at least try to improve it in some way, rather than wasting everybody's
>time merely to rename it?

I don't think it is a waste of time, nor "merely to rename it". Tim has
pages of notes and clarifications on what he has discovered in the spec,
and I'm sure that others do as well. The Fortezza descriptions in it are a
real mess. Getting change control out of the current authors hands will be
a huge step forward. It may even be possible to split it up in this
agressive time frame so that it will make it easier to manage change in the

>I offer the counter proposal that we all agree to a much more realistic
>schedule - say March or June IETF - for getting what would be a real TLS
>proposal with several improvements and multiple implementations on the
>table for consideration.

I think getting some incremental changes into TLS in those time frames are
a very good idea, and we should do it. However, it has been 10 months since
the SSL 3.0 spec was released, and 5 months since there have been multiple
implementations. The net is rolling fast and I'm on the side of moving
things along so we can do more work rather than slowing them down so we can
do more work.

..Christopher Allen                  Consensus Development Corporation..
..<>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  SSL 3.0 Integration Suite(tm)" <>..

Received on Friday, 18 October 1996 02:14:33 UTC