On Mon, 2014-03-31 at 13:55 +0000, Viktor Dukhovni wrote: > > > This too feels like intrusive overreach. What problem are you > > > trying to solve? > > The goal is to allow the configuration of the security level of > > applications centrally in a system. That is, to not require the > > administrator to configure each and every service to obtain a sane > > security level, to simplify the current best practices [0]. > This assumes that there is such a thing as a uniformly applicable > security policy that applies equally to opportunistic use TLS, > mandatory use of unauthenticated TLS, authenticated TLS with modest > security requirements, and transport of highly sensitive data.
I disagree. The problem in current systems, isn't that there are different policies required per application, but the fact that in practice there is no policy set for any application. Nevertheless, with the approach I describe, the current situation can be kept when needed by just not using the "system" keyword. regards, Nikos ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
