On Fri, Jul 19, 2013 at 11:13 AM, Michael Poole <mdpo...@troilus.org> wrote:
> Unless someone presents more compelling arguments in favor of the > idea, I do not expect to add SSL support to ircu. > > I would have thought privacy would be compelling enough? What about those other servers out there that are standalone and would like to offer some form of privacy to their users. > On the server capacity side, SSL will also consume a lot of memory for > a large network -- each SSL context is much larger than the current > our network is not large, only about 3K users, with 5K at peak, over 4 servers, and similar to Undernet we require grunty machines with no other services except ntp and localhost bound dns and of course anyone runing SSL knows the overhead will increase substantially and must plan for it. per-client budget. That also means an increase in CPU cache > thrashing, which means a disproportionate increase in CPU utilization. > Because ircu is single-threaded, CPU utilization can still be an > issue, especially during a net burst. (You're going to encrypt your > server-to-server links too, right? Hopefully using certificates that > were distributed out-of-band?) > Absolutely > > On the administrative side of things, us maintainers would have > additional legal obligations to comply with (regarding the export of > cryptographic software, even if it is open source that only calls open > That is not of a concern to our org, we are in Germany, Denmark, Netherlands, and here where I am working for next year in Hong Kong (although I'm Brittish), with negotiations to soon have a server in Australia join us, so are not subject to US law, yet we do have a number of Amercians on our network, and in a recent poll (incidentally taken before prism) many indicated their country as USA and have preference for SSL too and like everything you use, you do so at your own risk with relation to laws of your individual countries. > source libraries to perform the actual cryptographic operations) and > it would make ircu illegal in some places. > > Illegal in eyes of US which can only enforce its laws against its citizens, and surely not every ircu coder is Amercian who I accept may be bound by such laws, but non Amercians certainly are not, and it would be very wrong for a developer committee to sqaush somthing based on a legality in one country, hell, if we did that, and took the laws of every country into account, we'd be totally r..ted and might as well shut down the internet right now and all find a different carreer :-> > I would suggest using IPsec as an alternative scheme to protect > network traffic from eavesdropping, whether it is IRC or any other > protocol, or SSL proxy software on the IRC server combined with iauth > to "spoof" the true host names back onto a tunneled client. > > A lot of effort, I know I'm capable, and German admin is capable, but I know nothing of the abilities of the others, it might be simpler to look at alternatives if this is definitive
_______________________________________________ Coder-com mailing list Coder-com@undernet.org http://undernet.sbg.org/mailman/listinfo/coder-com
