Re: [TLS] Deployment ... Re: This working group has failed
Watson Ladd <watsonbladd@gmail.com> Mon, 18 November 2013 16:35 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B4911E811A for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 08:35:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.33
X-Spam-Level:
X-Spam-Status: No, score=-2.33 tagged_above=-999 required=5 tests=[AWL=0.270, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YG4wTihVN1LS for <tls@ietfa.amsl.com>; Mon, 18 Nov 2013 08:35:13 -0800 (PST)
Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 5CC1D11E810F for <tls@ietf.org>; Mon, 18 Nov 2013 08:34:44 -0800 (PST)
Received: by mail-wg0-f47.google.com with SMTP id y10so6322620wgg.2 for <tls@ietf.org>; Mon, 18 Nov 2013 08:34:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ycxaeC7Zn3EHFlnZScHIsJLwAc+8bw5JSKZC/W81Mbk=; b=1InL+WJ6crX6h51NSrKG2746n6k4MUZ7eLrlkgdK4suzn7HkS2WOj2ave4TjW8j7Oq tx3uTkAoXok9I7V8BcKfnwJ9C+2NO0U3mJDnNlwVcIgdVdDk1ofK3wcoBgBYMMOtzD1L 2a3jkubO8zO+3jplv7rxAhp1awly83PzpWxCwe2kXi2GkR8OOq51CaE0N3wkyya3Q5gg XcmwvCK0inlffXd2fRQniVM5oaoRNCgtSAOTBID4u6q+O1RYi1MJBvvHyaKS7XtyXkkG TWyTYnlqSmokAmJA85bus4IOjVeVEmE05RMOzGy0sjpUWBL0Q7naYz5nu7UH57GLbmBl EV8g==
MIME-Version: 1.0
X-Received: by 10.180.103.193 with SMTP id fy1mr5100365wib.10.1384792483514; Mon, 18 Nov 2013 08:34:43 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Mon, 18 Nov 2013 08:34:43 -0800 (PST)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE373@USMBX1.msg.corp.akamai.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <CAPMEXDbgp5+Gg6mkMWNrcOzmAbSpv3kjftGV0cjpqvMnRxpw=A@mail.gmail.com> <44D7624E-75D8-47D3-93BF-97427206E800@iki.fi> <CACsn0c=9GrO21ECZczB2zft3bVODcc=1ZRp3pG22c-rrDfTPXQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE373@USMBX1.msg.corp.akamai.com>
Date: Mon, 18 Nov 2013 08:34:43 -0800
Message-ID: <CACsn0cnRUDZp=_iOy+J4Ur1PFtkJgfFcHzhVFviSYUG9mh_t4w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 16:35:15 -0000
On Mon, Nov 18, 2013 at 7:02 AM, Salz, Rich <rsalz@akamai.com> wrote: >> TLS 1.2 solves the same problem as TLS 1.0. It should therefore have the same API. > > Do you really believe this or are you trying to just be provocative? Do you really believe that backwards compatibility at the source level had to be sacrificed? Stable interfaces are the norm, unstable ones are remarkable. How many prongs does a ground-fault detecting electricity socket have? BLAS has multiple implementations, all with the same API. MPI looks the same on a bunch of Xboxes wired together with Ethernet as it does on a several million dollar supercomputer. GMP doesn't gratuitously change its interface with every performance enhancement, and to this day "Hello World" works unchanged on my machine, some 40 years after it first ran on a PDP-11. Everything about the environment it runs on is different, from the word size, to the endianness, to the output mechanism, to the interface I am using. And yet it works with only a recompile. TCP has undergone many changes to the implementation, yet the BSD sockets API still works. Why exactly does an application need to care about which ciphersuite is used? Why does it need to do more than hand over some trusted PKI roots, and a server certificate? The current APIs have caused lots of security bugs as people don't use them correctly. The solution: high level APIs that won't change when the implementation is upgraded. Is this really too lofty a goal? The costs of the current approach are obvious: what are the costs of making better APIs? Sincerely, Watson Ladd > > > -- > Principal Security Engineer > Akamai Technology > Cambridge, MA -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] This working group has failed Watson Ladd
- [TLS] Deployment ... Re: This working group has f… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Taylor Hornby
- Re: [TLS] This working group has failed SM
- Re: [TLS] This working group has failed Ralph Holz
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] Deployment ... Re: This working group h… Yoav Nir
- Re: [TLS] Deployment ... Re: This working group h… Hannes Tschofenig
- Re: [TLS] This working group has failed Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Mark Nottingham
- Re: [TLS] Deployment ... Re: This working group h… Kyle Hamilton
- Re: [TLS] Deployment ... Re: This working group h… Juho Vähä-Herttua
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Salz, Rich
- Re: [TLS] Deployment ... Re: This working group h… Andrei Popov
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Watson Ladd
- Re: [TLS] Deployment ... Re: This working group h… Geoffrey Keating
- Re: [TLS] Deployment ... Re: This working group h… Michael Staubermann
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Joshua Davies
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Kirils Solovjovs
- Re: [TLS] Deployment ... Re: This working group h… Andy Wilson
- Re: [TLS] Deployment ... Re: This working group h… Marsh Ray
- Re: [TLS] Deployment ... Re: This working group h… Ralf Skyper Kaiser
- Re: [TLS] Deployment ... Re: This working group h… Ben Laurie
- [TLS] TLS protocol version intolerance [Was: Re: … Ivan Ristić
- Re: [TLS] Deployment ... Re: This working group h… Zooko Wilcox-OHearn
- Re: [TLS] TLS protocol version intolerance [Was: … Michael Sweet
- Re: [TLS] TLS protocol version intolerance [Was: … Eric Rescorla
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- Re: [TLS] Deployment ... Re: This working group h… Andy Lutomirski
- Re: [TLS] Deployment ... Re: This working group h… Martin Rex
- [TLS] multiple clients in one process (was: Re: D… Patrick Pelletier
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski
- Re: [TLS] multiple clients in one process (was: R… Daniel Kahn Gillmor
- Re: [TLS] multiple clients in one process (was: R… Nico Williams
- Re: [TLS] multiple clients in one process (was: R… Nikos Mavrogiannopoulos
- Re: [TLS] multiple clients in one process (was: R… Andy Lutomirski