> On 3 May 2017, at 14:09, Graham Leggett <minf...@sharp.fm> wrote: > > On 03 May 2017, at 2:01 PM, Stefan Eissing <stefan.eiss...@greenbytes.de> > wrote: > >> We seem to all agree that a definition in code alone will not be good >> enough. People need to be able to see what is actually in effect. > > I think we’re overthinking this. > > We only need to document the settings that SSLSecurityLevel has clearly in > our docs, and make sure that "httpd -L” prints out the exact details so no > user need ever get confused. > >> If we let users define their own classes, it could look like this: > > Immediately we’ve jumped into functionality that is beyond Mr/Mrs Normal.
Agreed. If our default is simply ‘industry best practice’ (i.e. what we say it is*) — then Normal will be the new black. And everyone else is still in the same boat - i.e. having to specify it just like they do today. All that requires it to make the defaults sane. Dw. *: exceed NIST and https://www.keylength.com/ <https://www.keylength.com/> for 5+ years, PFS, A or better at SSLLabs. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices>
signature.asc
Description: Message signed with OpenPGP
