[jdev] manifesto 0.4

[Kwadronaut]

On 06/11/13 21:02, Alexander Holler wrote:
> Am 30.10.2013 15:58, schrieb Thijs Alkemade:
>> On 30 okt. 2013, at 15:53, Tomasz Sterna <tomek at xiaoka.com> wrote:
>>> Dnia 2013-10-30, śro o godzinie 01:21 +0100, Mathieu Pasquet pisze:
>>>> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
>>>> supported initially (doesn’t xmpp appear after SSLv3 was
>>>> standardized?), but dropping SSLv3, while also a good idea, might
>>>> cause issues with lots of servers
>>>
>>> And discouraging TLSv1 in favor of TLSv1.2 when latest OpenSSL does not
>>> even support TLSv1.1 nor v1.2 is a pie-in-the-sky.
>>
>> OpenSSL supports TLS 1.2 since 1.0.1 (and I think TLS 1.1 since the same
>> version), released March 14th, 2012.
>>
> 
> Not exactly the same, but I don't like the part
> 
> "or require cipher suites that enable forward secrecy"

That in itself isn't bad at all, rather the opposite, it's great. But
yes, what are the implications of a push towards this?
Openssl supports and accepts 16-bit DHE-group. [1] Current Java 6&7
don't like any DHE >1024bits (workaroud exists by using Bouncycastles
JCE). Without looking at what is still around as Alexander did, I wonder
about the consequences of such a push. When choosing the wrong thing we
might be *worse* off. I don't feel this is addressed in
https://datatracker.ietf.org/doc/draft-saintandre-xmpp-tls/?include_text=1
And the best of it all: we don't have a way to negotiate the size of the
DHE, whatever the server sends is to be used. [2].

Would it be possible to change the wording in a meaningful way to either
make operators more aware of the pitfalls and/or make sure that they're
not actually downgrading what they currently use? Other opinions? Am I
overlooking some things?

salut,

kwadronaut


[1] http://marc.info/?l=openssl-dev&m=138371309522047&w=2
[2] https://www.ietf.org/mail-archive/web/tls/current/msg10022.html