Am Dienstag, den 03.11.2015, 23:08 +0100 schrieb Gunnar Haslinger: > Am 03.11.2015 um 22:38 schrieb Aaron Zauner: > > I recommend double-checking a cipherstring recommendation against > > *all* 0.9.8 and 1.0.1 branches. > > OK ... thats harder than I expected. > But than it seems to be unsolvable for me to get a predictable > situation > by recommending a fixed "Cipher Suite B" String.
Okay, I did already write a lengthy text to contribute to this thread, but dismissed it as the TL;DR was "it doesn't matter". So then ... Speaking a bit along the line of Terje: Please consider the scope of the document. It is not to find the best solution, which will work for everyone. It is a first go-to reference for people that want setup a server on their own with sane crypto that works appropriately for the most common use-cases. If you need a solution for your multi-million dollar mobile banking app, you should probably do some additional research of your own or pay somebody to do this for you. Effectively, both DHE and ECDHE can be considered sane today. The same is true for AES128 and AES256. Having lengthy discussions about which one should be preferred does not lead us anywhere, nor trying to pin down the exact preference order in every imaginable combination of applications. If "Configuration B" results in a non-optimised but still quite workable result for all platforms, so be it. People who want to self-host their blog and secure it with TLS should be served well with "Configuration B", regardless on whether AES128 or AES256 is king. People, who have to consider stuff like computational complexity, be it because they are dealing with (broken) mobile devices that claim to support algorithms which in reality they cannot, cannot expect to find a simple cut-and-paste-template that fits all of their (and everybody elses) needs. Still they may use ACH as a first point of reference. Would it be appreciated if I wrote some prose to section 1 that addresses the targeted audience and scope? Hopefully this could also avoid reactions of people like him: http://www.heise.de/security/artikel/Das-BSI-und-der-Elfenbeinturm-25898 93.html (German only) Cheers David _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
