On Thu, Nov 07, 2013 at 08:50:23PM +0100, Alexander Holler wrote: > Am 07.11.2013 19:37, schrieb Dave Cridland: > >On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler > ><[email protected]>wrote: > > > >>I didn't speak about production environments. The manifesto affects all > >>users and a lot of them don't (have to) care about production environments. > >> > >> > >By users we mean end-users, ie, users on your server? > > There is no difference. I know of a lot of "production" environments > which still do use much older systems. E.g. I've already mentioned > SLES and RHEL. > > "up to date" is the keyword here. E.g. squeeze is still supported > but it's openssl doesn't support TLSv1.2. And even if it would be > EOL, I would like it, if I would have the freedom to choose myself, > when I stop using it. > > Some people just don't want to buy a new phone every year. And there > are many legitimate reasons to refuse upgrading a phone, pc or > whatever to the latest available software versions. > > >Your server is surely in production, isn't it? > > > > Production means "deployed for everyday use", in my mind. > > > > Sure, therefor I'm here and speak against the requirement for > TLSv1.2. The manifesto sounds like it might be a good idea to > enforce that requirement on the S2S too, and that clearly isn't what > should be done in my opinion. > > I now could start to talk about the questionable requirement for > "trusted" certificates (whatever that should be) or DNSSEC (which I > see as a red button in the hand of a foreign, not that friendly, > government, which for sure doesn't care about me), but I think it's > better not to start such a discussion here. > > I already seem to be pretty alone with letting the user choose what > he thinks he needs (I'm pretty in support of encouraging strong > encryption, just not of _requiring_ it, at least not now). > > >In any case, the attack vector here isn't that the NSA or GCHQ are > >targetting you specifically. It's that they're targetting everyone, and > >keeping that information around in case they need it later. This is why > >we're suggesting encrypting everything, and with PFS, so that it's > >worthless, and so they *need* to target you to snoop on you. > > I know that all that (don't misinterpret the fact that I've > forgotten that DH is supported by openssl since a long time), but I > wouldn't use my server for any communication I want to be secret. At > least not for stuff which isn't p2p encrypted (and XMPP usually is > not). > > Regards, > > Alexander Holler
Hi, I might have misunderstood, but it seems that you are mostly against draft-saintandre-xmpp-tls, rather than the points stated in this manifesto, as it is only a manifesto. The manifesto only creates requirements for people that sign it; the only requirement for interoperability is that your server, to be compatible with the ones that sign the manifesto, must support s2s encryption and a FS suite (although I agree that allowing servers to *require* FS might be a little strong). On updating software/hardware, I think it is reasonable to assume that anything that runs today is able to negociate TLSv1, which I consider the baseline. The manifesto says that software that endorses it must be able to negociate and prefer TLSv1.2; I consider that as *new versions* of the software, on an up-to-date system. We can’t realistically have every XMPP software bundling its own recent OpenSSL because debian is stable. As someone who runs his own XMPP service, I won’t ever have a “trusted certificate” as a matter of principles, but I don’t see what would impact me in other people signing this manifesto. In my opinion, the manifesto is, for software, to kill SSLv2 and SSLv3 for good, and provide security sane defaults that can be changed. For deployments, it’s more about upgrading the network, which security properties haven’t been updated in a while, and to provide a set of quality guarantees for a large number of public XMPP services. A bit of off-topic, but out of curiosity, what would you use for a communication you want to keep secret? I think that’s precisely what a personal server is for. Regards -- Mathieu Pasquet (mathieui)
pgp_wWuA_Q8Td.pgp
Description: PGP signature
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
