On Tue, Aug 24, 2021 at 12:07 AM Chris Adams <li...@cmadams.net> wrote: > > Once upon a time, Alexander Sosedkin <asosed...@redhat.com> said: > > Sure. Crypto-policies are there to give you control of what's enabled, > > ideally what's enabled by default. > > > > 1) There's a blanket `update-crypto-policies --set LEGACY` > > 2) There's a possibility to reenable disabled algorithms with custom > > policies, > > allowing to go even lower than LEGACY (which you > > shouldn't really do on public networks, but who's there to stop you) > > 3) (F35+) There's a possibility to reenable algorithms per backends, > > say, for NSS, Java or krb5 only > > 4) (In an ideal world) crypto-policies settings should act as defaults, > > meaning apps should be able to further modify them, > > offer weaker methods with a warning, etc > > 5) There are total per-backend opt-out mechanisms / procedures > > Missing #4 is what makes a lot of this not as useful.
Yes, and consider myself to be the person who needs the least amount of convincing on that subject [1]. Work is underway to shift away from it in gnutls case. > I understand the effort that has gone into this > and appreciate stepping up security, > but... what matters as a user is "can I get to this site in Firefox", > "does this VPN work", etc. Browsers are probably the highest-impact > user of this, and it is all-or-nothing there AFAIK. Having to lower the > level across the board so that I can download router firmware images or > connect to my work VPN kind of scraps all the effort. [1] https://gitlab.com/gnutls/gnutls/-/issues/1172 _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
