RE: Busted TLS Schedule, and a Proposal for Closure


  Please read balow your comments/reply's.

At 11:15 PM 10/17/96 -0700, you wrote:
>At 8:44 PM -0700 10/17/96, Barb Fox wrote:
>>Your mail finally addresses the issue of change control.  So, what is the
>>incremental value of  "adopting SSL as is"  as an IETF standard without any
>>schedule of work beyond December?
>I think that it is fine for us to start scheduling now for work beyond
>December -- but I don't think it should stop us from doing what can be done
>to get TLS 1.0 out that meets the state of the art.
>>Whether you agree to call it consensus or not, there has been progress in
>>this working group on password authentication.  Other people obviously want
>>it too, and we're prepared to submit an RFC along with independent
>>implementations of working code.
>I think the password authentication stuff should be on the schedule -- but
>when you include the idea that there needs to be some implementation of it
>(preferably multiple) before it can be truely a "standard", then deployment
>TLS as a standard which does currently have multiple implementations
>shouldn't wait for it.

  Well we are in the process of implimentation in one case currently.  I would
agree that multipul implimentations suould really be done befor any decleration
for  a"Standard" should be made.  It seems though that getting that done
is really not doable without some extra help.  I would suggest that some
discussion, thought short, should be done along these lines as an "Aid", if
you will for achieving (Multipul implimentations).  If I read this right,
seems that this may be a solovable problem.  
>>When and how do you (or better yet, one of the authors you cite) propose
>>that we incorporate it?   What about the other features/extensions/
>>cleanups that have been proposed? As you may recall, I absolutely agreed
>>with using SSL3 as the base.   It's the de facto standard now.  So, why not
>>at least try to improve it in some way, rather than wasting everybody's
>>time merely to rename it?
>I don't think it is a waste of time, nor "merely to rename it". Tim has
>pages of notes and clarifications on what he has discovered in the spec,
>and I'm sure that others do as well. The Fortezza descriptions in it are a
>real mess. Getting change control out of the current authors hands will be
>a huge step forward. It may even be possible to split it up in this
>agressive time frame so that it will make it easier to manage change in the

  This might be a workable approach.  But it does have some cordanition
>>I offer the counter proposal that we all agree to a much more realistic
>>schedule - say March or June IETF - for getting what would be a real TLS
>>proposal with several improvements and multiple implementations on the
>>table for consideration.
>I think getting some incremental changes into TLS in those time frames are
>a very good idea, and we should do it. However, it has been 10 months since
>the SSL 3.0 spec was released, and 5 months since there have been multiple
>implementations. The net is rolling fast and I'm on the side of moving
>things along so we can do more work rather than slowing them down so we can
>do more work.

  This is a tuff one here Christopher.  I would agree that moving along is 
usually best.  But I think some care might be taken in not puting out hurried
code.  If that can be accomplished with the WG you have now, GREAT!  If
not however, I think some momentum could be lost, not to mention 
credibility.   What do you think?  Anybody?


>..Christopher Allen                  Consensus Development Corporation..
>..<>                 1563 Solano Avenue #355..
>..                                             Berkeley, CA 94707-2116..
>..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
>..  SSL 3.0 Integration Suite(tm)" <>..
Jeffrey A. Williams
SR.Internet Network Eng. 
CEO., IEG., INC.,  Representing PDS .Ltd.
Phone: 214-793-7445 (Direct Line)
Director of Network Eng. and Development IEG. INC.

Received on Friday, 18 October 1996 04:49:45 UTC