I'm not aware of the goings on that prompted this topic, but FWIW, I think Alan's proposal is a really good approach.
> -----Original Message----- > From: Alan Conway [mailto:[email protected]] > Sent: Wednesday, May 06, 2015 10:29 AM > To: Andrew Stitcher > Cc: [email protected]; [email protected] > Subject: Re: Configuration for security. > > On Tue, 2015-05-05 at 14:57 -0400, Andrew Stitcher wrote: > > On Tue, 2015-05-05 at 14:21 -0400, Alan Conway wrote: > > > On Tue, 2015-05-05 at 12:43 -0400, Andrew Stitcher wrote: > > > > On Tue, 2015-05-05 at 12:13 -0400, Alan Conway wrote: > > > > > The problem: > > > > > > > > > > 1. Insecure defaults are, well, insecure. > > > > > 2. Secure defaults cause confusion and support overhead esp. in > dev/testing environments. > > > > > 3. We need fine-grained security settings (e.g. > > > > > "allow-plain-with-ssl") > because security is complicated. > > > > > > > > > > Here's what I would suggest: > > > > > > > > > > Provide a top-level setting: "secure", default true. > > > > > > > > The new proton security APIs are pretty similar to this already - > > > > you did look at them? > > > > > > > > There are actually 2 setting which control authentication and > > > > encryption. > > > > > > That's what I'm getting at. There are already 2, you're adding > > > another which is 3, then there'll be 4... > > > > I did consider those settings pretty carefully and did have them > > reviewed (potentially by you). > > > > I do think they reasonably cover a lot of the security landscape in a > > simple to understand way, and don't need adding to. > > > > However, if you want to add more detailed settings not covered by them > > that's ok too. > > OK, let me back up and regroup: > > I'm happy with 2 settings auth_required, encryption_required. If we can > satisfy all users with just those two I will be very happy. > > I am not *proposing* additional settings, but I had the impression we were > on the verge of adding one allow_plain_with_no_ssl or somesuch. If we can > avoid that then so much the better. > > IF we do (now or later) need to start adding detailed settings, then they they > should have a sensible default *based on the values of auth_required and > encryption_required*, not just a static default. > > Most users should ONLY have to set auth_required and encryption_required > and be confident that things will usually Just Work. In particular if both are > false, then all details settings should have permissive defaults. If both are > true then all detailed settings should have strict defaults. So a secure user > can assume the standard "denied if not explicitly permitted" for the > additional settings, and an insecure user can assume "anything goes" without > having to set a bunch of individual settings. > > But again, if we can satisfy all with just the 2 settings that is ideal and we > should strive to minimize additional settings. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] For additional > commands, e-mail: [email protected]
