On 4/20/15 3:57 PM, Peter Saint-Andre - &yet wrote:
On 4/20/15 3:43 PM, Barry Leiba wrote:
<snip/>
-- Section 3.6 --
I understand that, while most users won't understand it, there's value in
trying to communicate to an end user that she is using a secure
connection.
I am very skeptical that there's the slightest bit of value in giving end
users information about the version of TLS used, the mechanism for
verification, the details of the certs (if any), or the details of the
cipher suite. I'm certainly skeptical that making that available to end
users should rise to the level of "strongly encouraged". I'm not going
to block anything with regard to this, but I see this as something you
might strongly encourage be available to an administrator, but not to an
end user (other than, perhaps, by enabling detailed logging through an
advanced setting, then inspecting the logs).
At one point in the history of this document, we had separate bullet
lists for administrators and end users. There was so much overlap that
it was confusing. However, we might consider bringing that back.
BTW, we based the user-oriented recommendation somewhat on current
practices in web browsers. For instance, Firefox has an indicator
showing whether a connection is encrypted, but also has an advanced
option that enables a user to view the certificate and also see the TLS
version and cipher suite (e.g., my connection to datatracker.ietf.org
uses TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256). I suppose we
can argue about how useful this information is to a "normal" user, but
deliberately hobbling XMPP clients in comparison to (some) web browsers
seems less than completely helpful.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
