Re: SSL/TLS instead of SSL in docs
Euler Taveira <euler@eulerto.com>
From: "Euler Taveira" <euler@eulerto.com>
To: "Daniel Gustafsson" <daniel@yesql.se>,
"Peter Eisentraut" <peter.eisentraut@enterprisedb.com>
Cc: "Bruce Momjian" <bruce@momjian.us>, "Tom Lane" <tgl@sss.pgh.pa.us>,
"Magnus Hagander" <magnus@hagander.net>,
"Andrew Dunstan" <andrew.dunstan@2ndquadrant.com>,
"Jeff Davis" <pgsql@j-davis.com>,
"PostgreSQL Developers" <pgsql-hackers@lists.postgresql.org>
Date: 2021-07-01T16:01:52Z
Lists: pgsql-hackers
Attachments
- v4-0001-Docs-SSL-TLS-related-acronyms.patch (text/x-patch) patch v4-0001
- v4-0002-Docs-Replace-usage-of-SSL-with-SSL-TLS.patch (text/x-patch) patch v4-0002
On Wed, Jun 30, 2021, at 5:46 PM, Daniel Gustafsson wrote: > > On 30 Jun 2021, at 20:20, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote: > > > I am not in favor of this direction. I think it just adds tediousness and doesn't really help anyone. If we are worried about correct terminology, then we should just change everything to TLS. > > I actually think SSL/TLS has won the debate of "correct terminology" for > describing a secure connection encrypted by a TLS protocol. > TLS is described as a successor of SSL. However, the terminology SSL is still popular when you are talking about secure connection over a computer network. It seems that's one of the main reasons for articles/documentation use SSL/TLS. The primary use of SSL/TLS is to secure WWW connections over HTTP protocol. A recent survey reveals that SSL is supported by less than 4% of the websites in the world [1]. SSL 3.0 (the latest published protocol version) is deprecated since 2015 (6 years ago) [2]. There is no web browser that has SSL enabled by default (indeed, most of them don't support SSL anymore). I tend to agree with Peter that the correct terminology is TLS. However, SSL is still popular (probably because popular SSL/TLS libraries contain SSL in its name). If we change to SSL/TLS, I'm afraid we have this discussion again for (a) remove SSL or (b) add another popular secure protocol and we end up with SSL/TLS/FOO terminology. Commit fe61df7f introduces a new configure option that is --with-ssl. Such option is also used in other softwares too. All configuration parameters related to SSL/TLS starts with ssl. It is hard to decide among popular (SSL), correct (TLS), and mix (SSL/TLS). If I have to pick one, it would be SSL/TLS. It mentions both acronyms that is easier to correlate with configuration parameters, secure connections (via --with-ssl) and current protocol (TLS). Your patch doesn't apply anymore and requires a rebase. I'm attaching a new version. It looks good to me. I noticed that you are using <acronym>SSL/TLS</acronym>, however, the acronyms are declared separated. It doesn't seem to be a presentation issue per se but I'm asking just in case. [1] https://en.wikipedia.org/wiki/Transport_Layer_Security#Websites [1] https://datatracker.ietf.org/doc/html/rfc7568 -- Euler Taveira EDB https://www.enterprisedb.com/
Commits
-
doc: Clarify when SSL actually means TLS
- 860ea46ba7be 15.0 landed
-
doc: Add acronyms for MITM and SNI
- 15ff5401d171 14.0 landed
-
doc: Apply markup <productname> to OpenSSL more consistently
- f80979f659d3 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 cited