[jdev] manifesto 0.4

Kwadronaut Kwadronaut at autistici.org
Thu Nov 7 12:52:26 UTC 2013

On 07/11/13 12:54, Philipp Hancke wrote:
> On Thu, 7 Nov 2013, Kwadronaut wrote:
>> That in itself isn't bad at all, rather the opposite, it's great. But
>> yes, what are the implications of a push towards this?
>> Openssl supports and accepts 16-bit DHE-group. [1] Current Java 6&7
>> don't like any DHE >1024bits (workaroud exists by using Bouncycastles
>> JCE). Without looking at what is still around as Alexander did, I wonder
> So you take things like the manifesto, draft-sheffer-tls-bcp-00 and
> draft-saintandre-xmpp-tls and show it to the people making Java and tell
> them they need to support it.

I think you're missing my point here. I was trying to point out that a
bunch of  different commonly used software pieces (Schannel, Openssl,
Java) *don't* or *can't* use DHE in a good way. What did we see
happening in the webserver world? People say: "Oh, PFS, that's really
nifty, let's implement it with TLS_RSA_WITH_RC4_128_MD5 to lower the
load." And that is actually downgrading the security if you come from
better non-PFS ciphers. There's some mention in
draft-saintandre-xmpp-tls about the ciphers to be used, but nothing
about the DHE and same for that other draft.

The second argument, which goes hand in hand with above, is that TLS
itself doesn't have any way to negotiate the DHE.

Right now the manifesto is praising the merits of PFS too much and not
taking these implications into account. Or is there some way I don't
know about to make all above moot?

Also, I'm not going to take any documents to the Java people, I try to
stay out of their lands. I would appreciate a constructive reply though,
even if you and I don't use a java xmpp implementation, we might
communicate with people on such a platform.


More information about the JDev mailing list