On Tue, Jul 12, 2016 at 5:33 AM, Daniel Kalchev <dan...@digsys.bg> wrote:
> > > On 12.07.2016 г., at 13:26, Franco Fichtner <fra...@lastsummer.de> > wrote: > > > > > >> On 12 Jul 2016, at 11:59 AM, Daniel Kalchev <dan...@digsys.bg> wrote: > >> > >> It is trivial to play MTIM with this protocol and in fact, there are > commercially available “solutions” for “securing one’s corporate network” > that doe exactly that. Some believe this is with the knowledge and approval > of the corporation, but who is to say what the black box actually does and > whose interests it serves? > > > > It's also trivial to ignore that pinning certificates and using client > > certificates can actually help a great deal to prevent all of what you > > just said. ;) > > I don’t know many users who even know that they can do this — much less > actually using it. Pinning the browser vendor’s certificates does not > protect you from being spied while visiting someone else’s site. This is > also non-trivial to support. > In the early days of DANE, Google even had a version of Chrome that > supported DANE, just to kill it a bit later: > https://www.ietf.org/mail-archive/web/dane/current/msg06980.html > > > > > The bottom line is not having GOST support readily available could > alienate > > a whole lot of businesses. Not wanting those downstream use cases will > make > > those shift elsewhere and the decision will be seen as an overly > political > > move that in no possible way reflects the motivation of community growth. > > > Exactly — especially as long as there is no demonstrable proof that GOST > is actually broken. I may have been misunderstood, possibly because I was unclear. I do not object to GOST being readily available as it is legally required in some places. I do object on its being enabled by default and I do object to standards endorsing it use, though I do not object to standards for GOST, itself. Making the method for enabling GOST simple and clearly documented is a reasonable thing and, as long as its use is mandated it is really essential. And, thinks, Andrey, for clarifying the Russian law. I don't know the language and have depended on others for the details. In areas of tine points of laws, this is often inadequate. (As it is when you read the language fluently. I read and speak American English quite well, but that does not mean that legalese is covered.) Reality is that the law is what those charges with formal interpretation of it say it is. In the US, that is the Supreme Court. Not sure who is in Russia, but it's not me!) -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 _______________________________________________ firstname.lastname@example.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"