On Tue, Feb 10, 2015 at 10:52:02PM +0000, Salz, Rich wrote: > > I'd further suggest to move everything that's not PFS&AEAD from HIGH to > > MEDIUM. > > I think it's a little early to do that. But once TLS 1.3 is out, then yes :)
This is NOT a decision a library should be making on behalf of applications. So, NO, not even then, except that of course when TLS 1.3 is negotiated, that's all you get, but that only happens with TLS 1.3 peers, which is fine and does not break compatibility, and does not require re-definition of the existing cipher-suite classes. We should also recall that the master branch has introduced "security levels", which may still need some work to become production-ready, but are likely a better mechanism for applications to move to more secure settings than incompatible changes in existing interfaces. Not all applications are browsers folks, and libraries need to provide stable interfaces that mirror the application's intent consistent with expected behaviour of existing interfaces. Only new interfaces can freely shed compatibility baggage. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev