On Tue, 2015-05-05 at 14:21 -0400, Alan Conway wrote: > On Tue, 2015-05-05 at 12:43 -0400, Andrew Stitcher wrote: > > On Tue, 2015-05-05 at 12:13 -0400, Alan Conway wrote: > > > The problem: > > > > > > 1. Insecure defaults are, well, insecure. > > > 2. Secure defaults cause confusion and support overhead esp. in > > > dev/testing environments. > > > 3. We need fine-grained security settings (e.g. "allow-plain-with-ssl") > > > because security is complicated. > > > > > > Here's what I would suggest: > > > > > > Provide a top-level setting: "secure", default true. > > > > The new proton security APIs are pretty similar to this already - you > > did look at them? > > > > There are actually 2 setting which control authentication and > > encryption. > > That's what I'm getting at. There are already 2, you're adding another > which is 3, then there'll be 4...
I did consider those settings pretty carefully and did have them reviewed (potentially by you). I do think they reasonably cover a lot of the security landscape in a simple to understand way, and don't need adding to. However, if you want to add more detailed settings not covered by them that's ok too. A --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
