On Tue, 2015-05-05 at 14:57 -0400, Andrew Stitcher wrote: > On Tue, 2015-05-05 at 14:21 -0400, Alan Conway wrote: > > On Tue, 2015-05-05 at 12:43 -0400, Andrew Stitcher wrote: > > > On Tue, 2015-05-05 at 12:13 -0400, Alan Conway wrote: > > > > The problem: > > > > > > > > 1. Insecure defaults are, well, insecure. > > > > 2. Secure defaults cause confusion and support overhead esp. in > > > > dev/testing environments. > > > > 3. We need fine-grained security settings (e.g. "allow-plain-with-ssl") > > > > because security is complicated. > > > > > > > > Here's what I would suggest: > > > > > > > > Provide a top-level setting: "secure", default true. > > > > > > The new proton security APIs are pretty similar to this already - you > > > did look at them? > > > > > > There are actually 2 setting which control authentication and > > > encryption. > > > > That's what I'm getting at. There are already 2, you're adding another > > which is 3, then there'll be 4... > > I did consider those settings pretty carefully and did have them > reviewed (potentially by you). > > I do think they reasonably cover a lot of the security landscape in a > simple to understand way, and don't need adding to. > > However, if you want to add more detailed settings not covered by them > that's ok too.
OK, let me back up and regroup: I'm happy with 2 settings auth_required, encryption_required. If we can satisfy all users with just those two I will be very happy. I am not *proposing* additional settings, but I had the impression we were on the verge of adding one allow_plain_with_no_ssl or somesuch. If we can avoid that then so much the better. IF we do (now or later) need to start adding detailed settings, then they they should have a sensible default *based on the values of auth_required and encryption_required*, not just a static default. Most users should ONLY have to set auth_required and encryption_required and be confident that things will usually Just Work. In particular if both are false, then all details settings should have permissive defaults. If both are true then all detailed settings should have strict defaults. So a secure user can assume the standard "denied if not explicitly permitted" for the additional settings, and an insecure user can assume "anything goes" without having to set a bunch of individual settings. But again, if we can satisfy all with just the 2 settings that is ideal and we should strive to minimize additional settings. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
