[Members] More security: A manifesto update

Peter Saint-Andre - &yet peter at andyet.net
Fri Jan 9 00:12:01 UTC 2015


The combination of the following documents covers things for SSL/TLS:

https://datatracker.ietf.org/doc/draft-ietf-uta-tls-bcp/
https://datatracker.ietf.org/doc/draft-ietf-uta-xmpp/

On 1/8/15 3:54 PM, Ludovic BOCQUET wrote:
> Dear all,
>
> Some months ago (more than one year), I have requested to remove SSLv3
> compatibility and the very old 5223 port in different XMPP
> clients/servers/services (not added in the actual manifesto).
>
> Some months ago, Poodle has been announced for SSLv3 and little time
> after for TLS 1.0/1.1 too.
> - https://www.imperialviolet.org/2014/10/14/poodle.html
> - https://www.imperialviolet.org/2014/12/08/poodleagain.html
>
> Today, after one month (Poodle TLS), I think it will be nice to update
> the manifesto (launched one year ago):
> - https://github.com/stpeter/manifesto/blob/master/manifesto.txt
> - http://stpeter.im/journal/1496.html
>
> With :
> - no 5223 port
> - no SSLv3
> - no TLS 1.0 (no TLS 1.1 in more will be perfect)
> - no cipher like RC4 (and other weak/very weak ciphers)
> - no PLAIN (only C2S/S2S secured connection - StartTLS required with
> SCRAM-SHA-1)
> - no DIGEST-MD5 (only C2S/S2S secured connection - StartTLS required
> with SCRAM-SHA-1)
> - 2048 bits certificat and more (4096 bits will be perfect but...)
>
> Attention SHA-1 will be stopped soon, maybe good to see for SHA-256
> certificats and more:
> -
> http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
> - https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
>
> Some informations:
> - https://tools.ietf.org/html/draft-ietf-uta-xmpp-04
> - https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-01
>
> Thanks in advance,
>
> Regards,
>
> BOCQUET Ludovic
>


-- 
Peter Saint-Andre
https://andyet.com/


More information about the Members mailing list