On 10/30/2013 01:21 AM, Mathieu Pasquet wrote:
On Tue, Oct 29, 2013 at 05:09:32PM -0600, Peter Saint-Andre wrote:
I just updated the encryption manifesto to incorporate feedback and
clarify a few points:
https://github.com/stpeter/manifesto/blob/master/manifesto.txt
Your feedback (and signatures!) matter.
Peter
- --
Peter Saint-Andre
https://stpeter.im/
Hi,
Before signing the manifesto as a software developer, there are
a few things that are unclear and I’m not sure we can commit to
this just yet:
Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
supported initially (doesn’t xmpp appear after SSLv3 was standardized?),
but dropping SSLv3, while also a good idea, might cause issues with lots
of servers (not naming legacy ejabberd or openfire under old debian or
centos). Hopefully, we have some time to wake up some admins before the
dates set in the manifesto, but I hope the test days will help
troubleshooting the ones that don’t get the memo.
Do we need, to be consistent, to disable the protocol but indicate to
the user he will need to perform an extra action to be able to connect,
or do we need to make the connection impossible in any case?
I find the other points sensible, so I have nothing to add, except
maybe separating clearly clients & server requirements.
I'd also would like some clarification about removing plain connection.
In some situation (you have a local server for ex) the server can allow
only non-secure connections to prevent memory consumption. So should we
really disable plain connection or just disable it by default, and
require some user advanced configuration to enable it?
--
Yann
_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: jdev-unsubscr...@jabber.org
_______________________________________________
