[jdev] manifesto 0.4

Alexander Holler holler at ahsoftware.de
Thu Nov 7 19:50:23 UTC 2013 

Am 07.11.2013 19:37, schrieb Dave Cridland:
> On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler <holler at ahsoftware.de>wrote:
>
>> I didn't speak about production environments. The manifesto affects all
>> users and a lot of them don't (have to) care about production environments.
>>
>>
> By users we mean end-users, ie, users on your server?

There is no difference. I know of a lot of "production" environments 
which still do use much older systems. E.g. I've already mentioned SLES 
and RHEL.

"up to date" is the keyword here. E.g. squeeze is still supported but 
it's openssl doesn't support TLSv1.2. And even if it would be EOL, I 
would like it, if I would have the freedom to choose myself, when I stop 
using it.

Some people just don't want to buy a new phone every year. And there are 
many legitimate reasons to refuse upgrading a phone, pc or whatever to 
the latest available software versions.

> Your server is surely in production, isn't it?
 >
 > Production means "deployed for everyday use", in my mind.
 >

Sure, therefor I'm here and speak against the requirement for TLSv1.2. 
The manifesto sounds like it might be a good idea to enforce that 
requirement on the S2S too, and that clearly isn't what should be done 
in my opinion.

I now could start to talk about the questionable requirement for 
"trusted" certificates (whatever that should be) or DNSSEC (which I see 
as a red button in the hand of a foreign, not that friendly, government, 
which for sure doesn't care about me), but I think it's better not to 
start such a discussion here.

I already seem to be pretty alone with letting the user choose  what he 
thinks he needs (I'm pretty in support of encouraging strong encryption, 
just not of _requiring_ it, at least not now).

> In any case, the attack vector here isn't that the NSA or GCHQ are
> targetting you specifically. It's that they're targetting everyone, and
> keeping that information around in case they need it later. This is why
> we're suggesting encrypting everything, and with PFS, so that it's
> worthless, and so they *need* to target you to snoop on you.

I know that all that (don't misinterpret the fact that I've forgotten 
that DH is supported by openssl since a long time), but I wouldn't use 
my server for any communication I want to be secret. At least not for 
stuff which isn't p2p encrypted (and XMPP usually is not).

Regards,

Alexander Holler

More information about the JDev mailing list