[jdev] manifesto 0.4

Alexander Holler holler at ahsoftware.de
Thu Nov 7 13:25:44 UTC 2013 

Am 07.11.2013 13:47, schrieb Alexander Holler:
> Am 07.11.2013 12:16, schrieb Dave Cridland:
>> On Wed, Nov 6, 2013 at 8:02 PM, Alexander Holler
>> <holler at ahsoftware.de>wrote:
>>
>>> Not exactly the same, but I don't like the part
>>>
>>> "or require cipher suites that enable forward secrecy"
>>>
>>> for the same reason. OpenSSL 1.x isn't around that long, and there are
>>> still many systems which do use e.g. Debian squeeze. And I assume the
>>> state of OpenSSL on other "stable" systems like e.g. SLES or RHEL isn't
>>> much better (but that's just an assumption from me).
>>>
>>
>> I hate to say it, but... If the TLS implementation you're using in
>> production isn't sufficient, then trying to change what "sufficient"
>> means
>> is probably not the right approach.
>
> I didn't speak about production environments. The manifesto affects all
> users and a lot of them don't (have to) care about production environments.
>
> E.g. my server only has to serve my needs and nobody else ones. So I can
> make a lot of compromises up to the fact, that I don't care if the NSA
> or GHCQ would be dumb enough to snoop on my communications which happens
> over my XMPP server (which isn't that much).
>
> But I care if my server wouldn't be able to communicate with other
> servers because they require e.g. TLSv1.2.
>
> So, please, don't interpret that such that I don't care for production
> environments. I'm just able to differentiate between a production
> environment and an environment with much less stringent requirements.
>
> I'm pretty aware of the different requirements.

Besides that, Debian squeeze EOL seems to be February 2014, so until 
then I will have updated my little server. So my XMPP-server on my 
Debian server will then have the pleasure to be able to use OpenSSL 1.x 
without any additional effort on my side. So at least the problem with 
missing TLSv1.2 support will be gone for me until then without me having 
to spend production like resources right now (ok, I still have to make 
the update, but that is already scheduled in my resource planning for my 
little server). Unfortunately I can't spend as much resources on my 
little server as I'm able to do for production environments.

Regards,

Alexander Holler

More information about the JDev mailing list