On 07/11/13 12:54, Philipp Hancke wrote: > On Thu, 7 Nov 2013, Kwadronaut wrote: >> That in itself isn't bad at all, rather the opposite, it's great. But >> yes, what are the implications of a push towards this? >> Openssl supports and accepts 16-bit DHE-group. [1] Current Java 6&7 >> don't like any DHE >1024bits (workaroud exists by using Bouncycastles >> JCE). Without looking at what is still around as Alexander did, I wonder > > So you take things like the manifesto, draft-sheffer-tls-bcp-00 and > draft-saintandre-xmpp-tls and show it to the people making Java and tell > them they need to support it.
I think you're missing my point here. I was trying to point out that a bunch of different commonly used software pieces (Schannel, Openssl, Java) *don't* or *can't* use DHE in a good way. What did we see happening in the webserver world? People say: "Oh, PFS, that's really nifty, let's implement it with TLS_RSA_WITH_RC4_128_MD5 to lower the load." And that is actually downgrading the security if you come from better non-PFS ciphers. There's some mention in draft-saintandre-xmpp-tls about the ciphers to be used, but nothing about the DHE and same for that other draft. The second argument, which goes hand in hand with above, is that TLS itself doesn't have any way to negotiate the DHE. Right now the manifesto is praising the merits of PFS too much and not taking these implications into account. Or is there some way I don't know about to make all above moot? Also, I'm not going to take any documents to the Java people, I try to stay out of their lands. I would appreciate a constructive reply though, even if you and I don't use a java xmpp implementation, we might communicate with people on such a platform. ciao _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________