IETF Logo Mail Archive

Re: [TLS] Confirming consensus: TLS1.3->TLS*

Thomas Pornin <pornin@bolet.org> Fri, 02 December 2016 14:54 UTC

Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B066B1294D4 for <tls@ietfa.amsl.com>; Fri, 2 Dec 2016 06:54:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.798
X-Spam-Level:
X-Spam-Status: No, score=-4.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYCA8Azy0NR9 for <tls@ietfa.amsl.com>; Fri, 2 Dec 2016 06:54:02 -0800 (PST)
Received: from brontes.bolet.org (brontes.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D45181296E9 for <tls@ietf.org>; Fri, 2 Dec 2016 06:53:58 -0800 (PST)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 1F74E205F8; Fri, 2 Dec 2016 15:53:57 +0100 (CET)
Date: Fri, 02 Dec 2016 15:53:57 +0100
From: Thomas Pornin <pornin@bolet.org>
To: "Ackermann, Michael" <MAckermann@bcbsm.com>
Message-ID: <20161202145357.GA30015@bolet.org>
References: <CF83FAD0-B337-4F9E-A80B-2BAA6826BF41@sn3rd.com> <CAHOTMVJzvf8v0S3vhFASekd6ksut0uNBhJDmuYzSQcJfy6JYpg@mail.gmail.com> <1480648354917.41781@cs.auckland.ac.nz> <1714292.gybZQF1xmo@pintsize.usersys.redhat.com> <75c46572e29141f69397d4511761ddc3@usma1ex-dag1mb1.msg.corp.akamai.com> <CAPt1N1=8iQXAFGgwao-Y5DT_RhKpmy7zHAQST5-g7T82dv+j6w@mail.gmail.com> <CY4PR14MB13686DEFC6E775FFD583E637D78E0@CY4PR14MB1368.namprd14.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CY4PR14MB13686DEFC6E775FFD583E637D78E0@CY4PR14MB1368.namprd14.prod.outlook.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/i298G-HI5r9f1q2A0ZQ_B_GbzuA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Confirming consensus: TLS1.3->TLS*
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2016 14:54:04 -0000

On Fri, Dec 02, 2016 at 02:17:24PM +0000, Ackermann, Michael wrote:
> In Enterprise circles TLS is an unknown acronym and as painful as it
> is,  we must usually refer to it as SSL,  before anyone knows what we
> are talking about.  Software products are guilty too.   Parameter
> fields frequently reference SSL.   :(

Actually there is a large variety in what I encounter (I work in a big
financial institution, and I have gone through other big organisations).

Some will just know "SSL" and talk about SSL for all protocols in the
"SSL" family (which so far includes SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
and TLS 1.2).

Some will use "SSL" for SSL 2.0 and SSL 3.0, and "TLS" for the TLS 1.x
versions. They then ban "SSL" and want to enforce "TLS". When they
encounter regulations that say "don't use TLS 1.0, only TLS 1.1+", they
get confused.

Some people and software interfaces use "SSL vs TLS" in a completely
different way, in the context of protocols like IMAP or FTPS: they use
"SSL" to mean "SSL handshake first, then protocol inside it", and "TLS"
to mean "protocol first and a STARTTLS command". This distinction is
orthogonal to protocol versions.

Commercial CA tend to sell "SSL certificates", not "TLS certificates"
or "SSL/TLS certificates". In a similar vein, the 'S' in 'HTTPS' does
_not_ mean "SSL", but not many people know that.

When I encounter someone who knows the differences between all versions,
then I am in front of a mirror. The taxonomy is confused and
complicated, and people who are maniacal enough to learn and remember it
are very rare.



If we look at what Microsoft did when it encountered the same kind of
terminology mess, it decided that the number following 2000 was "XP".
Lately, for server versions, Microsoft uses a year-based numbering,
and even so, they depart from it at times, e.g. when they decided that
"2009" was really "2008R2".

In practice, people don't have problem with gaps in numbering; they
are even eager to _create_ gaps when convenient, for instance by
not acknowledging the existence of Windows Vista.


So my conclusion is that terminology is essentially fluid and chosen by
people in the field, without any form of concertation and with a trend
toward simplification: the _operational_ notion is to lump versions into
two groups, the ones that must be used and the ones that must not be
used. There is about nothing IETF can do about it (though a really
poorly chosen name might increase confusion even further). The only
naming scheme which is kinda coherent is the numbering scheme on the
wire (3.0, 3.1...), and even that one fails to capture SSL 2.0 (which is
in fact 0.2 on the wire).


	--Thomas Pornin

v2.23.0 | Report a Bug | By Email