naif <n...@globaleaks.org> added the comment: Regarding the mainteneance i expect that, if we make a future-proof choice, it would take at least 5 years before that someone will need to have other ciphers added.
Consider that a new cipher is standardized once every X year, and typically, if it get diffused/adopted (and not abbandoned or marginally used), it will happen in few other years. The new ciphers will get into OpenSSL, so the proposed approach to: - Start from default - Disable anything that's - Unsecure/Weak - Not used/widely used Would still means that, when OpenSSL library will add a new cipher because a new RFC will get out, for sure it will not be unsecure/weak. There are chance that it will not get used/widely used, in that case in some other year, we'll update the default disabled ciphers. But such approach would provide very "low maintenance" because "not doing anything" can only create a situation where "more ciphers" get added by default (included in newer OpenSSL / new TLS RFC). But those new ciphers will not be weak, even if not maintained. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13636> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com