Re: [TLS] Deployment ... Re: This working group has failed

Ben Laurie <benl@google.com> Tue, 19 November 2013 09:38 UTC

Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498051AD8EA for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 01:38:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AfahS-uaWjm for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 01:38:18 -0800 (PST)
Received: from mail-vb0-x230.google.com (mail-vb0-x230.google.com [IPv6:2607:f8b0:400c:c02::230]) by ietfa.amsl.com (Postfix) with ESMTP id CF5B21AD8D5 for <tls@ietf.org>; Tue, 19 Nov 2013 01:38:17 -0800 (PST)
Received: by mail-vb0-f48.google.com with SMTP id x16so1246149vbf.21 for <tls@ietf.org>; Tue, 19 Nov 2013 01:38:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=g2/wkznMTOxCIYZMyVrBuc5lq45vMHgBv7daSE7VMuU=; b=ginTF2skV+8iktxmPSRvGIS3CE9pRlCzW7eQco6DcZC6bOJagfeowHLQSOcnCa1Wl3 bxdDc/ddVOt0dGFZjwuuEWl45I4pR7WcOMhK+okbpNFUbHgsrSqduyvCEOZ3TfzGn04+ LNvjA6SbSwTqd/LEbdfeK/QMjYNZ6TFiuXfyCSWMdcq7EKTlkpZTQnK9cRvYNzHpvNbx /oF5ua2F2yS9B5+3ivuRQ1/BZvIbSIM72kIZZP2s0kkd6ToxbXflNcIDHUtA2/iZV8xs uZQi97xcBk9TgNbOZbRKEGb1TxIrxmr1Thp8IO7YT4LiTV8brFF3GiEzuAx9bdHGbXSd 5s8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=g2/wkznMTOxCIYZMyVrBuc5lq45vMHgBv7daSE7VMuU=; b=L90ZyhXSMahbED5ZK1tnmY8s4DFG6BsNfrxQ5jD+mN9Bal6tdsKVphHGr/acpucgQX ahd0a/8FD3KBVRjIZDgNsgPCtVfSrsZjmU6KpMamtKrFjnIrAnPfC1m9X384EVOx51yt ludUNSDPUnbl0cM46Vl+f61iHxyStnZ4j7ZfIlGaHgg63VEdp4d91LyouKnTGGDPSPx5 FiWdmR0HmVHJwZ8GU4NV5vCekU2DSKUDHnHRG12BDJLGS71YeCjr4R8g9rbvsq7CNw3N BzU1EAN7bQGkIU5PEZAdyfijhOnEPw29Rc6XZNzfHKx5S1zSKyeubPp++iwHoJpKZtbh N6Bg==
X-Gm-Message-State: ALoCoQmZmhc/AzNG9p7lgT0hdgeHMVOz1ZfvrxfkJ/Z5mFKNioQdqYUxB8X90tfLXji96kpptjTAIgRmh2yTXFf0Hia7i88n7bRdNBbLfQl5uKnWOgrigfiPopCMphQkf3AFCyxnS3AQlhMeUyrcMYOOtkny4zc+ypsPNWqi6weTemmFQRfSxQlEBdlsrp3UvUvPGz2Kr5Mh
MIME-Version: 1.0
X-Received: by 10.52.245.9 with SMTP id xk9mr4373740vdc.8.1384853891652; Tue, 19 Nov 2013 01:38:11 -0800 (PST)
Received: by 10.52.183.65 with HTTP; Tue, 19 Nov 2013 01:38:11 -0800 (PST)
In-Reply-To: <CACsn0cnRUDZp=_iOy+J4Ur1PFtkJgfFcHzhVFviSYUG9mh_t4w@mail.gmail.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <CAPMEXDbgp5+Gg6mkMWNrcOzmAbSpv3kjftGV0cjpqvMnRxpw=A@mail.gmail.com> <44D7624E-75D8-47D3-93BF-97427206E800@iki.fi> <CACsn0c=9GrO21ECZczB2zft3bVODcc=1ZRp3pG22c-rrDfTPXQ@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C711DAEEE373@USMBX1.msg.corp.akamai.com> <CACsn0cnRUDZp=_iOy+J4Ur1PFtkJgfFcHzhVFviSYUG9mh_t4w@mail.gmail.com>
Date: Tue, 19 Nov 2013 09:38:11 +0000
Message-ID: <CABrd9SQsrG2xCWQrtcLzAyvhBZ_Fz=S8bG8QxfiNuCBk1W7j0w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 09:38:19 -0000

On 18 November 2013 16:34, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Mon, Nov 18, 2013 at 7:02 AM, Salz, Rich <rsalz@akamai.com> wrote:
>>> TLS 1.2 solves the same problem as TLS 1.0. It should therefore have the same API.
>>
>> Do you really believe this or are you trying to just be provocative?
> Do you really believe that backwards compatibility at the source level
> had to be sacrificed?
> Stable interfaces are the norm, unstable ones are remarkable. How many
> prongs does a ground-fault detecting electricity socket have?
> BLAS has multiple implementations, all with the same API. MPI looks
> the same on a bunch of Xboxes wired together with Ethernet as it does
> on a several million dollar supercomputer. GMP doesn't gratuitously
> change its interface with every performance enhancement, and to this
> day "Hello World" works unchanged on my machine, some 40 years after
> it first ran on a PDP-11. Everything about the environment it runs on
> is different, from the word size, to the endianness, to the output
> mechanism, to the interface I am using. And yet it works with only a
> recompile.
>
> TCP has undergone many changes to the implementation, yet the BSD
> sockets API still works. Why exactly does an application need to care
> about which ciphersuite is used? Why does it need to do more than hand
> over some trusted PKI roots, and a server certificate?
>
> The current APIs have caused lots of security bugs as people don't use
> them correctly. The solution: high level APIs that won't change when
> the implementation is upgraded. Is this really too lofty a goal? The
> costs of the current approach are obvious: what are the costs of
> making better APIs?

I won't defend OpenSSL's APIs, because I agree they're pretty sucky,
but I do want to observe that the TLS API did not change between TLS
1.0 and 1.2, so I'm not really sure what you're talking about here.