Re: SSL/TLS instead of SSL in docs

Euler Taveira <euler@eulerto.com>

From: "Euler Taveira" <euler@eulerto.com>
To: "Daniel Gustafsson" <daniel@yesql.se>, "Peter Eisentraut" <peter.eisentraut@enterprisedb.com>
Cc: "Bruce Momjian" <bruce@momjian.us>, "Tom Lane" <tgl@sss.pgh.pa.us>, "Magnus Hagander" <magnus@hagander.net>, "Andrew Dunstan" <andrew.dunstan@2ndquadrant.com>, "Jeff Davis" <pgsql@j-davis.com>, "PostgreSQL Developers" <pgsql-hackers@lists.postgresql.org>
Date: 2021-07-01T16:01:52Z
Lists: pgsql-hackers

Attachments

On Wed, Jun 30, 2021, at 5:46 PM, Daniel Gustafsson wrote:
> > On 30 Jun 2021, at 20:20, Peter Eisentraut <peter.eisentraut@enterprisedb.com> wrote:
> 
> > I am not in favor of this direction.  I think it just adds tediousness and doesn't really help anyone.  If we are worried about correct terminology, then we should just change everything to TLS.
> 
> I actually think SSL/TLS has won the debate of "correct terminology" for
> describing a secure connection encrypted by a TLS protocol.
> 
TLS is described as a successor of SSL. However, the terminology SSL is still
popular when you are talking about secure connection over a computer network.
It seems that's one of the main reasons for articles/documentation use SSL/TLS.

The primary use of SSL/TLS is to secure WWW connections over HTTP protocol. A
recent survey reveals that SSL is supported by less than 4% of the websites in
the world [1]. SSL 3.0 (the latest published protocol version) is deprecated
since 2015 (6 years ago) [2]. There is no web browser that has SSL enabled by
default (indeed, most of them don't support SSL anymore).

I tend to agree with Peter that the correct terminology is TLS. However, SSL is
still popular (probably because popular SSL/TLS libraries contain SSL in its
name). If we change to SSL/TLS, I'm afraid we have this discussion again for
(a) remove SSL or (b) add another popular secure protocol and we end up with
SSL/TLS/FOO terminology.

Commit fe61df7f introduces a new configure option that is --with-ssl. Such
option is also used in other softwares too. All configuration parameters
related to SSL/TLS starts with ssl. It is hard to decide among popular (SSL),
correct (TLS), and mix (SSL/TLS).

If I have to pick one, it would be SSL/TLS. It mentions both acronyms that is
easier to correlate with configuration parameters, secure connections (via
--with-ssl) and current protocol (TLS).

Your patch doesn't apply anymore and requires a rebase. I'm attaching a new
version. It looks good to me. I noticed that you are using
<acronym>SSL/TLS</acronym>, however, the acronyms are declared separated. It
doesn't seem to be a presentation issue per se but I'm asking just in case.


[1] https://en.wikipedia.org/wiki/Transport_Layer_Security#Websites
[1] https://datatracker.ietf.org/doc/html/rfc7568


--
Euler Taveira
EDB   https://www.enterprisedb.com/

Commits

  1. doc: Clarify when SSL actually means TLS

  2. doc: Add acronyms for MITM and SNI

  3. doc: Apply markup <productname> to OpenSSL more consistently

  4. Introduce --with-ssl={openssl} as a configure option