V Thu, Jun 30, 2022 at 10:46:27PM +0100, Richard W.M. Jones napsal(a): > Practically what would help is an easier way to reduce security for > only specific sites + protocols. It's very easy right now to set the > whole system to LEGACY, and much harder to set legacy for a specific > site + protocol. (In fact I have no idea how to go about it for this > particular case we're talking about.) > Cryptopolicy would work as a soft limit. Cryptolibraries would return a distinct error INSECURE instead of UNKNOWN. Applications on the INSECURE error would offer a user to override the cryptopolicy soft limit.
At the end cryptolibraries many times keep implementing the weak algorithms because the algorithms might be strong enough for a different purpose (like a digest vs. an HMAC), or the cryptopolicy gives a different security level to different purposes (creating vs. verifying a signature), or because the user is not interested in the cryptographical guarantees at all, he only wants to unwrap the wanted data (e.g. reading an ancient digitally-signed message). For the first and the last case cryptolibraries already provide a mean for applications to convey an intent for, or a use of the algorithm. It's "only" necessary to augment API of the libraries to support the intent parameter everywhere. Now cryptopeople will argue that users will learn to click "connect anyway" all the time. Well, there will be users like that. But not everbody is like that. I'd rather use a device which I can control than me to be controlled by the device. -- Petr
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
