Am 07.11.2013 12:16, schrieb Dave Cridland:
On Wed, Nov 6, 2013 at 8:02 PM, Alexander Holler <[email protected]>wrote:
Not exactly the same, but I don't like the part
"or require cipher suites that enable forward secrecy"
for the same reason. OpenSSL 1.x isn't around that long, and there are
still many systems which do use e.g. Debian squeeze. And I assume the
state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
much better (but that's just an assumption from me).
I hate to say it, but... If the TLS implementation you're using in
production isn't sufficient, then trying to change what "sufficient" means
is probably not the right approach.
I didn't speak about production environments. The manifesto affects all
users and a lot of them don't (have to) care about production environments.
E.g. my server only has to serve my needs and nobody else ones. So I can
make a lot of compromises up to the fact, that I don't care if the NSA
or GHCQ would be dumb enough to snoop on my communications which happens
over my XMPP server (which isn't that much).
But I care if my server wouldn't be able to communicate with other
servers because they require e.g. TLSv1.2.
So, please, don't interpret that such that I don't care for production
environments. I'm just able to differentiate between a production
environment and an environment with much less stringent requirements.
I'm pretty aware of the different requirements.
Alexander Holler.
_______________________________________________
JDev mailing list
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
