[jdev] manifesto 0.4
holler at ahsoftware.de
Thu Nov 7 12:47:34 UTC 2013
Am 07.11.2013 12:16, schrieb Dave Cridland:
> On Wed, Nov 6, 2013 at 8:02 PM, Alexander Holler <holler at ahsoftware.de>wrote:
>> Not exactly the same, but I don't like the part
>> "or require cipher suites that enable forward secrecy"
>> for the same reason. OpenSSL 1.x isn't around that long, and there are
>> still many systems which do use e.g. Debian squeeze. And I assume the
>> state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
>> much better (but that's just an assumption from me).
> I hate to say it, but... If the TLS implementation you're using in
> production isn't sufficient, then trying to change what "sufficient" means
> is probably not the right approach.
I didn't speak about production environments. The manifesto affects all
users and a lot of them don't (have to) care about production environments.
E.g. my server only has to serve my needs and nobody else ones. So I can
make a lot of compromises up to the fact, that I don't care if the NSA
or GHCQ would be dumb enough to snoop on my communications which happens
over my XMPP server (which isn't that much).
But I care if my server wouldn't be able to communicate with other
servers because they require e.g. TLSv1.2.
So, please, don't interpret that such that I don't care for production
environments. I'm just able to differentiate between a production
environment and an environment with much less stringent requirements.
I'm pretty aware of the different requirements.
More information about the JDev