[jdev] manifesto 0.4
holler at ahsoftware.de
Thu Nov 7 19:50:23 UTC 2013
Am 07.11.2013 19:37, schrieb Dave Cridland:
> On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler <holler at ahsoftware.de>wrote:
>> I didn't speak about production environments. The manifesto affects all
>> users and a lot of them don't (have to) care about production environments.
> By users we mean end-users, ie, users on your server?
There is no difference. I know of a lot of "production" environments
which still do use much older systems. E.g. I've already mentioned SLES
"up to date" is the keyword here. E.g. squeeze is still supported but
it's openssl doesn't support TLSv1.2. And even if it would be EOL, I
would like it, if I would have the freedom to choose myself, when I stop
Some people just don't want to buy a new phone every year. And there are
many legitimate reasons to refuse upgrading a phone, pc or whatever to
the latest available software versions.
> Your server is surely in production, isn't it?
> Production means "deployed for everyday use", in my mind.
Sure, therefor I'm here and speak against the requirement for TLSv1.2.
The manifesto sounds like it might be a good idea to enforce that
requirement on the S2S too, and that clearly isn't what should be done
in my opinion.
I now could start to talk about the questionable requirement for
"trusted" certificates (whatever that should be) or DNSSEC (which I see
as a red button in the hand of a foreign, not that friendly, government,
which for sure doesn't care about me), but I think it's better not to
start such a discussion here.
I already seem to be pretty alone with letting the user choose what he
thinks he needs (I'm pretty in support of encouraging strong encryption,
just not of _requiring_ it, at least not now).
> In any case, the attack vector here isn't that the NSA or GCHQ are
> targetting you specifically. It's that they're targetting everyone, and
> keeping that information around in case they need it later. This is why
> we're suggesting encrypting everything, and with PFS, so that it's
> worthless, and so they *need* to target you to snoop on you.
I know that all that (don't misinterpret the fact that I've forgotten
that DH is supported by openssl since a long time), but I wouldn't use
my server for any communication I want to be secret. At least not for
stuff which isn't p2p encrypted (and XMPP usually is not).
More information about the JDev