> On 3 May 2017, at 14:09, Graham Leggett <minf...@sharp.fm> wrote:
> 
> On 03 May 2017, at 2:01 PM, Stefan Eissing <stefan.eiss...@greenbytes.de> 
> wrote:
> 
>> We seem to all agree that a definition in code alone will not be good 
>> enough. People need to be able to see what is actually in effect.
> 
> I think we’re overthinking this.
> 
> We only need to document the settings that SSLSecurityLevel has clearly in 
> our docs, and make sure that "httpd -L” prints out the exact details so no 
> user need ever get confused.
> 
>> If we let users define their own classes, it could look like this:
> 
> Immediately we’ve jumped into functionality that is beyond Mr/Mrs Normal.

Agreed. If our default is simply ‘industry best practice’ (i.e. what we say it 
is*) — then Normal will be the new black.

And everyone else is still in the same boat - i.e. having to specify it just 
like they do today.

All that requires it to make the defaults sane.

Dw.

*: exceed NIST and https://www.keylength.com/ <https://www.keylength.com/> for 
5+ years, PFS, A or better at SSLLabs. 
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices 
<https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices>

Attachment: signature.asc
Description: Message signed with OpenPGP

Reply via email to