[jdev] manifesto 0.4

Mathieu Pasquet mathieui at mathieui.net
Wed Oct 30 00:21:38 UTC 2013


On Tue, Oct 29, 2013 at 05:09:32PM -0600, Peter Saint-Andre wrote:
> 
> I just updated the encryption manifesto to incorporate feedback and
> clarify a few points:
> 
> https://github.com/stpeter/manifesto/blob/master/manifesto.txt
> 
> Your feedback (and signatures!) matter.
> 
> Peter
> 
> - -- 
> Peter Saint-Andre
> https://stpeter.im/
> 

Hi,

Before signing the manifesto as a software developer, there are
a few things that are unclear and I’m not sure we can commit to
this just yet:

Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
supported initially (doesn’t xmpp appear after SSLv3 was standardized?),
but dropping SSLv3, while also a good idea, might cause issues with lots
of servers (not naming legacy ejabberd or openfire under old debian or
centos). Hopefully, we have some time to wake up some admins before the
dates set in the manifesto, but I hope the test days will help
troubleshooting the ones that don’t get the memo.

Do we need, to be consistent, to disable the protocol but indicate to
the user he will need to perform an extra action to be able to connect,
or do we need to make the connection impossible in any case?

I find the other points sensible, so I have nothing to add, except
maybe separating clearly clients & server requirements.

Regards



-- 
Mathieu Pasquet (mathieui)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20131030/1f121307/attachment.pgp>


More information about the JDev mailing list