[jdev] manifesto 0.4
asterix at lagaule.org
Wed Oct 30 14:36:52 UTC 2013
On 10/30/2013 01:21 AM, Mathieu Pasquet wrote:
> On Tue, Oct 29, 2013 at 05:09:32PM -0600, Peter Saint-Andre wrote:
>> I just updated the encryption manifesto to incorporate feedback and
>> clarify a few points:
>> Your feedback (and signatures!) matter.
>> - --
>> Peter Saint-Andre
> Before signing the manifesto as a software developer, there are
> a few things that are unclear and I’m not sure we can commit to
> this just yet:
> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
> supported initially (doesn’t xmpp appear after SSLv3 was standardized?),
> but dropping SSLv3, while also a good idea, might cause issues with lots
> of servers (not naming legacy ejabberd or openfire under old debian or
> centos). Hopefully, we have some time to wake up some admins before the
> dates set in the manifesto, but I hope the test days will help
> troubleshooting the ones that don’t get the memo.
> Do we need, to be consistent, to disable the protocol but indicate to
> the user he will need to perform an extra action to be able to connect,
> or do we need to make the connection impossible in any case?
> I find the other points sensible, so I have nothing to add, except
> maybe separating clearly clients & server requirements.
I'd also would like some clarification about removing plain connection.
In some situation (you have a local server for ex) the server can allow
only non-secure connections to prevent memory consumption. So should we
really disable plain connection or just disable it by default, and
require some user advanced configuration to enable it?
More information about the JDev