[jdev] manifesto 0.4

Thijs Alkemade thijs at xnyhps.nl
Thu Nov 7 20:29:26 UTC 2013


On 7 nov. 2013, at 20:50, Alexander Holler <holler at ahsoftware.de> wrote:

> "up to date" is the keyword here. E.g. squeeze is still supported but it's openssl doesn't support TLSv1.2. And even if it would be EOL, I would like it, if I would have the freedom to choose myself, when I stop using it.

And some people might still want to use SSLv2 with DES, but it’s really not a good reason to keep using protocols with known vulnerabilities. If we were adjusting the requirements so even the laziest admins wouldn’t need to do anything, then it would hardly be a manifesto.

> Sure, therefor I'm here and speak against the requirement for TLSv1.2. The manifesto sounds like it might be a good idea to enforce that requirement on the S2S too, and that clearly isn't what should be done in my opinion.

There’s no such requirement in the manifesto and I know many people would be against doing that right now.

> I already seem to be pretty alone with letting the user choose  what he thinks he needs (I'm pretty in support of encouraging strong encryption, just not of _requiring_ it, at least not now).

There’s also no requirement for “strong” encryption, unless you count the MTI cipher suite TLS_RSA_WITH_AES_128_CBC_SHA from 6120 or the requirement to prefer forward-secret cipher suites.

>> In any case, the attack vector here isn't that the NSA or GCHQ are
>> targetting you specifically. It's that they're targetting everyone, and
>> keeping that information around in case they need it later. This is why
>> we're suggesting encrypting everything, and with PFS, so that it's
>> worthless, and so they *need* to target you to snoop on you.
> 
> I know that all that (don't misinterpret the fact that I've forgotten that DH is supported by openssl since a long time), but I wouldn't use my server for any communication I want to be secret. At least not for stuff which isn't p2p encrypted (and XMPP usually is not).

You don’t care about security, you don’t want your communication to be secret… why are you even discussing this? You’re derailing this thread with misinformation and showing an unwillingness to change anything.

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131107/36c7e7bf/attachment-0001.pgp>


More information about the JDev mailing list