On Tue, Oct 29, 2013 at 05:09:32PM -0600, Peter Saint-Andre wrote: > > I just updated the encryption manifesto to incorporate feedback and > clarify a few points: > > https://github.com/stpeter/manifesto/blob/master/manifesto.txt > > Your feedback (and signatures!) matter. > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ >
Hi, Before signing the manifesto as a software developer, there are a few things that are unclear and I’m not sure we can commit to this just yet: Dropping SSLv2 is all good and I’m not even sure why SSLv2 was supported initially (doesn’t xmpp appear after SSLv3 was standardized?), but dropping SSLv3, while also a good idea, might cause issues with lots of servers (not naming legacy ejabberd or openfire under old debian or centos). Hopefully, we have some time to wake up some admins before the dates set in the manifesto, but I hope the test days will help troubleshooting the ones that don’t get the memo. Do we need, to be consistent, to disable the protocol but indicate to the user he will need to perform an extra action to be able to connect, or do we need to make the connection impossible in any case? I find the other points sensible, so I have nothing to add, except maybe separating clearly clients & server requirements. Regards -- Mathieu Pasquet (mathieui)
pgpe6vhqvur4M.pgp
Description: PGP signature
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
