> On Dec 9, 2014, at 1:24 PM, Steffen Nurpmeso via RT <r...@openssl.org> wrote:
> 
> "Salz, Rich" <rs...@akamai.com> wrote:
> |I think magic names -- shorthands -- are a very bad idea. \
> 
> I _completely_ disagree.
> 
> | They are point-in-time statements whose meaning evolves, \
> |if not erodes, over time.
> 
> Because i don't think that a normal user, or even normal
> administrators and programmers is and are willing or even capable
> to understand what they are doing.

You are almost certainly far better qualified to make this decision than most 
administrators. Nevertheless, if upgrading OpenSSL from version X to version Y 
causes a ciphersuite (or TLS version) to be dropped into VULNERABLE, there are 
going to be angry phone calls from users whose browser or application has 
stopped working. It is the administrator who is going to get those phone calls, 
not you, and the decision of whether to enable an obsolete ciphersuite or to 
force the user/programmer to update is a political decision that you can’t make 
on their behalf. 

So there’s bettercrypto.org and there’s Qualys and there’s this BCP document 
that the UTA working group at the IETF is writing, but ultimately we can’t 
shove security down people’s throat - just make good tools for them and provide 
(hopefully) good advice.

Yoav

_______________________________________________
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev

Reply via email to