On Wed, 2015-05-06 at 10:28 -0400, Alan Conway wrote: > ... > > However, if you want to add more detailed settings not covered by them > > that's ok too.
I should have been clearer here - At the top level (mostly in pn_transport) I think that these two settings are sufficient for everything I can think of. But if we need finer grain control then we can add extra settings to the detailed objects pn_sasl/pn_sasl. There are already detailed settings - mostly in pn_ssl to set the certificates and verification policy. However for very many uses this should not be necessary. > > OK, let me back up and regroup: > > I'm happy with 2 settings auth_required, encryption_required. If we can > satisfy all users with just those two I will be very happy. > > I am not *proposing* additional settings, but I had the impression we > were on the verge of adding one allow_plain_with_no_ssl or somesuch. If > we can avoid that then so much the better. > > IF we do (now or later) need to start adding detailed settings, then > they they should have a sensible default *based on the values of > auth_required and encryption_required*, not just a static default. > > Most users should ONLY have to set auth_required and encryption_required > and be confident that things will usually Just Work. In particular if > both are false, then all details settings should have permissive > defaults. If both are true then all detailed settings should have strict > defaults. So a secure user can assume the standard "denied if not > explicitly permitted" for the additional settings, and an insecure user > can assume "anything goes" without having to set a bunch of individual > settings. > > But again, if we can satisfy all with just the 2 settings that is ideal > and we should strive to minimize additional settings. > > I agree with this restatement of your position 100% - user configurable settings are evil. Andrew --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
