| From: | "Euler Taveira" <euler(at)eulerto(dot)com> |
|---|---|
| To: | "Daniel Gustafsson" <daniel(at)yesql(dot)se>, "Peter Eisentraut" <peter(dot)eisentraut(at)enterprisedb(dot)com> |
| Cc: | "Bruce Momjian" <bruce(at)momjian(dot)us>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "Andrew Dunstan" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "Jeff Davis" <pgsql(at)j-davis(dot)com>, "PostgreSQL Developers" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: SSL/TLS instead of SSL in docs |
| Date: | 2021-07-01 16:01:52 |
| Message-ID: | cdc18e3b-f664-4727-8410-a5b9df482a15@www.fastmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 30, 2021, at 5:46 PM, Daniel Gustafsson wrote:
> > On 30 Jun 2021, at 20:20, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> wrote:
>
> > I am not in favor of this direction. I think it just adds tediousness and doesn't really help anyone. If we are worried about correct terminology, then we should just change everything to TLS.
>
> I actually think SSL/TLS has won the debate of "correct terminology" for
> describing a secure connection encrypted by a TLS protocol.
>
TLS is described as a successor of SSL. However, the terminology SSL is still
popular when you are talking about secure connection over a computer network.
It seems that's one of the main reasons for articles/documentation use SSL/TLS.
The primary use of SSL/TLS is to secure WWW connections over HTTP protocol. A
recent survey reveals that SSL is supported by less than 4% of the websites in
the world [1]. SSL 3.0 (the latest published protocol version) is deprecated
since 2015 (6 years ago) [2]. There is no web browser that has SSL enabled by
default (indeed, most of them don't support SSL anymore).
I tend to agree with Peter that the correct terminology is TLS. However, SSL is
still popular (probably because popular SSL/TLS libraries contain SSL in its
name). If we change to SSL/TLS, I'm afraid we have this discussion again for
(a) remove SSL or (b) add another popular secure protocol and we end up with
SSL/TLS/FOO terminology.
Commit fe61df7f introduces a new configure option that is --with-ssl. Such
option is also used in other softwares too. All configuration parameters
related to SSL/TLS starts with ssl. It is hard to decide among popular (SSL),
correct (TLS), and mix (SSL/TLS).
If I have to pick one, it would be SSL/TLS. It mentions both acronyms that is
easier to correlate with configuration parameters, secure connections (via
--with-ssl) and current protocol (TLS).
Your patch doesn't apply anymore and requires a rebase. I'm attaching a new
version. It looks good to me. I noticed that you are using
<acronym>SSL/TLS</acronym>, however, the acronyms are declared separated. It
doesn't seem to be a presentation issue per se but I'm asking just in case.
[1] https://en.wikipedia.org/wiki/Transport_Layer_Security#Websites
[1] https://datatracker.ietf.org/doc/html/rfc7568
--
Euler Taveira
EDB https://www.enterprisedb.com/
| Attachment | Content-Type | Size |
|---|---|---|
| v4-0001-Docs-SSL-TLS-related-acronyms.patch | text/x-patch | 2.0 KB |
| v4-0002-Docs-Replace-usage-of-SSL-with-SSL-TLS.patch | text/x-patch | 70.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2021-07-01 16:02:50 | Re: pgbench using COPY FREEZE |
| Previous Message | Mark Dilger | 2021-07-01 15:59:02 | Re: Delegating superuser tasks to new security roles (Was: Granting control of SUSET gucs to non-superusers) |