[jdev] manifesto 0.4

Alexander Holler holler at ahsoftware.de
Thu Nov 7 12:47:34 UTC 2013

Am 07.11.2013 12:16, schrieb Dave Cridland:
> On Wed, Nov 6, 2013 at 8:02 PM, Alexander Holler <holler at ahsoftware.de>wrote:
>> Not exactly the same, but I don't like the part
>> "or require cipher suites that enable forward secrecy"
>> for the same reason. OpenSSL 1.x isn't around that long, and there are
>> still many systems which do use e.g. Debian squeeze. And I assume the
>> state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
>> much better (but that's just an assumption from me).
> I hate to say it, but... If the TLS implementation you're using in
> production isn't sufficient, then trying to change what "sufficient" means
> is probably not the right approach.

I didn't speak about production environments. The manifesto affects all 
users and a lot of them don't (have to) care about production environments.

E.g. my server only has to serve my needs and nobody else ones. So I can 
make a lot of compromises up to the fact, that I don't care if the NSA 
or GHCQ would be dumb enough to snoop on my communications which happens 
over my XMPP server (which isn't that much).

But I care if my server wouldn't be able to communicate with other 
servers because they require e.g. TLSv1.2.

So, please, don't interpret that such that I don't care for production 
environments. I'm just able to differentiate between a production 
environment and an environment with much less stringent requirements.

I'm pretty aware of the different requirements.

Alexander Holler.

More information about the JDev mailing list