IETF Logo Mail Archive

Re: [TLS] TLS, PKI,

Martin Rex <mrex@sap.com> Wed, 14 July 2010 03:59 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16E993A6990 for <tls@core3.amsl.com>; Tue, 13 Jul 2010 20:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.035
X-Spam-Level:
X-Spam-Status: No, score=-8.035 tagged_above=-999 required=5 tests=[AWL=-0.386, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MAZhe-jWu1j for <tls@core3.amsl.com>; Tue, 13 Jul 2010 20:59:36 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id E4A793A67AE for <tls@ietf.org>; Tue, 13 Jul 2010 20:59:35 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o6E3xVJh016621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 Jul 2010 05:59:36 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007140359.o6E3xUo7026334@fs4113.wdf.sap.corp>
To: rrelyea@redhat.com
Date: Wed, 14 Jul 2010 05:59:30 +0200
In-Reply-To: <4C3D15C5.1090307@REDHAT.COM> from "Robert Relyea" at Jul 13, 10 06:41:25 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLS, PKI,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 03:59:37 -0000

Robert Relyea wrote:
> 
> >
> > If SSHv1 would have required CA-signed X.509 certs in its initial
> > shipment, it would have taken MUCH longer to become popular, if at all.
> 
> Compared to SSL, SSH is still not popular, which sort of negates your
> point.

Quite the opposite.  Compared to SSH, SSL is a complete and utter failure.

SSH became popular in 1995 and ubiquitous on Unix platforms before 2000.

Probably >>95% of all admins of networked Unix boxes have SSH configured
and used it to access their machines remotely.  Many of them have been
doing this for >10 years.

Even lots of networked devices support SSH out-of-the-box (DSL-router,
DVB-S receiver, Home-NAS) and SSH is quite easy to configure for use
with these devices.


In comparison, the number of Web-Servers that are accessible via
SSL/TLS (HTTPS) is completely negligible.  From that fraction of
the Web-Servers that have some service running on port 443
it is around 97% that do not support SSL/TLS access.


Considering the intimidating Scare-pages of newer Web-Browsers
for Servers using self-signed certs,  the Browser-Vendors reliably
killed the usage-scenario to use TLS to access your Home-NAS,
DSL-Router or DVB-S receiver, because going through the pain
to obtain and yearly renew TLS certs for each and every device
-- in particular for the shortcut hostnames that people are
typically using at home, which most Browser-blessed CAs are
unlikely to issue certs for anyway.


The most recent developments in TLS are likely to cut back the
use of TLS to only public commercial services.  The Scare-Pages
of recent Browsers are sure killers for any intra-Home-applicability
of TLS and the standardization efforts around "server identification"
(certid) are likely to make things worse, because they are
similarly preoccupied with commercial CA certs and bureaucratic
hierarchical namespace management.

Being able to easily network a small number of computers and
network-attached devices at home without involvement of outside
third parties is a pretty common use case.  It is where SSH
started and excels in.  It is where TLS hardly worked from
the beginning and where it has become much worse since due
to the Scare-Consumers-Away-From-This-Technology pages in
recent Browsers.


-Martin

v2.23.0 | Report a Bug | By Email