Re: [TLS] Deployment ... Re: This working group has failed

Ralf Skyper Kaiser <skyper@thc.org> Tue, 19 November 2013 09:17 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120671AD694 for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 01:17:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuQ5CtH87LTh for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 01:17:48 -0800 (PST)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id E6D211A1F5F for <tls@ietf.org>; Tue, 19 Nov 2013 01:17:47 -0800 (PST)
Received: by mail-ie0-f181.google.com with SMTP id e14so3963198iej.12 for <tls@ietf.org>; Tue, 19 Nov 2013 01:17:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=diWytiYBV39TIrMJCAZW+XfnEEgVCQ2AsJVGAd2jBi0=; b=U4n8O9A9OYdlD1nBLI0wB/HJhbmVsqUgBJBNDyDjg6a9MmettThIxnVGHUzUylCEjq XvrVry6iIfwVdIE6N3JK+uETvAe0b/4xs/tGJKa3eAbDJplqOJ696VMkbg5fkOsHKSWh Nu9x1VVpg17KTeKfr3IQqmo+R8vATe9dIDquY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=diWytiYBV39TIrMJCAZW+XfnEEgVCQ2AsJVGAd2jBi0=; b=VNVdM99sjxT3F2YQmizlH9SAECD6X/kGeIAtTvrlsY9mg3b5ORAgvJJnFtGurT8uYf W7M6ufaWcdsjOJlm8/ax0EMlcEbtfRuZzqBYH4MequiVccvatlicrvdZR7NYuHYkJt8q 2CAMRpPijo7EvqF4gMDZJ9GV5F8B+f5y1dJ+Y6y5/Krza7/Vj3nGxo4SRFTAKXH0+zvD 24yE8uFD/UirzsuUFryNvIFSDC1COLocA6IhpGd8scdobI0Cr47cvfxD7B3PQbas/xjg +G/PrybPcd9sY4E0/Fp41kozGjo7vTNxsfMaAsGqYHPCqdjEnXkF2Az22J5o8S3gsSC5 H4Lg==
X-Gm-Message-State: ALoCoQlTGF1nobJNh3AI7yyLLptUZZ7emhlr4osIVstl5w6MiBugyeErI53yAtfE7o5jKCpFbuwD
MIME-Version: 1.0
X-Received: by 10.50.128.137 with SMTP id no9mr18301865igb.36.1384852661887; Tue, 19 Nov 2013 01:17:41 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Tue, 19 Nov 2013 01:17:41 -0800 (PST)
X-Originating-IP: [87.106.82.87]
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE432@USMBX1.msg.corp.akamai.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <CAPMEXDbgp5+Gg6mkMWNrcOzmAbSpv3kjftGV0cjpqvMnRxpw=A@mail.gmail.com> <44D7624E-75D8-47D3-93BF-97427206E800@iki.fi> <CACsn0c=9GrO21ECZczB2zft3bVODcc=1ZRp3pG22c-rrDfTPXQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE373@USMBX1.msg.corp.akamai.com> <CACsn0cnRUDZp=_iOy+J4Ur1PFtkJgfFcHzhVFviSYUG9mh_t4w@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE432@USMBX1.msg.corp.akamai.com>
Date: Tue, 19 Nov 2013 09:17:41 +0000
Message-ID: <CA+BZK2rv+KYWVhchUj_AnyNFBc_ryUZGY4Q9SovJ7Q--4fV54w@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary=047d7b10cf0dfa7f4d04eb842217
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 09:17:50 -0000

I agree with Watson (high level API is needed. Desperately).

Whenever I do a source code audit I almost always find an implementation
bug, something where the developer just did not know how to use openssl
correctly and kind of guessed or googled the solution (and google is so
often wrong...).

A high level API that takes care of always the best settings and takes care
of certificates, revocation and pinning would fix a significant number of
security problems out there and lower the bar for other application to
start using TLS.

This is the wrong mailinglist to discuss it but it should be mentioned on
the openssl/gnutls mailinglist.


regards,

ralf


On Mon, Nov 18, 2013 at 4:41 PM, Salz, Rich <rsalz@akamai.com> wrote:

> These seem contradictory to me:
>
> >> TLS 1.2 solves the same problem as TLS 1.0. It should therefore have
> the same API.
> > The current APIs have caused lots of security bugs as people don't use
> them correctly. The solution: high level APIs that won't change ...
>
> The IETF has traditionally avoided API's and doesn't get involved in
> high-level language wars (other than ASN.1/DER vs ASCII art :)
>
>         /r$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>