[Ach] considering your experience in selecting the perfect config string, would you...

Sun Jul 6 17:20:40 CEST 2014

On 2014-07-03T20:26, ianG <iang at iang.org> wrote:
> On 29/06/2014 19:43 pm, Alexander Wuerstlein wrote:
> > On 2014-06-29T17:02, ianG <iang at iang.org> wrote:
> > 
> > And since we are talking about changing your TCP implementation here,
> > the change will be an operating system update which usually will cost
> > you money and bring along a lot of additional pain. Far more money and
> > pain than e.g. a simple Firefox Upgrade that brings you TLS1.2.
> > So while I agree that it is perhaps unlikely that people will change
> > their configuration, it is far more unlikely that they will update their
> > OS.
> 
> 
> I think when it comes to the vast population, that is what they do:
> upgrade their OS using the auto-update button provided ... or perhaps I
> am biased by Macs, but maybe that is also the point:  what is winning
> and is seen to be winning is the OS that makes upgrades easy and timely.

Maybe, but MacOS would be my example for the exact opposite: updates
within a release are usually easy and pain-free, but updates to the next
version are costly, break things (often had stuff like "can't use the
new 'Striped Ice Cat' release because it breaks my calendar") and
sometimes don't even work on older hardware.

So whether this new TCP implementation would be used quickly would
strongly depend on whether an OS vendor sees it as a "small, harmless
security-update" or if its a bigger change they save for the next big,
costly, difficult, incompatible upgrade. Semantic changes like "its a
new protocol version that behaves differently" would increase the
probability of that update falling into the big & costly category.

> > I think this model is acceptable, as long as there is a clear consensus
> > that protocol updates for new cipher suites should be agreed upon in a
> > very timely fashion. This would also mean that there could be version
> > upgrades that just change the cipher suite and nothing else, perhaps
> > skipping ahead of a queue of other nifty features that were planned for
> > the next new version.
> 
> 
> I think this assumes that the user / sysadm has anything to do with a
> consensus.  I don't follow that assumption.  The last N times I updates
> anything on my laptop, I didn't have much of an idea what was being
> updated, I just updated to stop the silly warnings and questions about
> UPDATE NOW or LATER.

I think I was unclear: I don't think sysadmins or users would be
involved in that consensus at all. I'm talking about the relevant
standards committee. I fear that cipher suite updates will be delayed in
such a committee for reasons of "it would be a shame to bump the version
just for a new cipher suite" and "but there is that one nifty feature I
would like to add".

Ciao,

Alexander Wuerstlein.