[jdev] manifesto 0.4

Mathieu Pasquet mathieui at mathieui.net
Thu Nov 7 21:03:07 UTC 2013 

On Thu, Nov 07, 2013 at 08:50:23PM +0100, Alexander Holler wrote:
> Am 07.11.2013 19:37, schrieb Dave Cridland:
> >On Thu, Nov 7, 2013 at 12:47 PM, Alexander Holler <holler at ahsoftware.de>wrote:
> >
> >>I didn't speak about production environments. The manifesto affects all
> >>users and a lot of them don't (have to) care about production environments.
> >>
> >>
> >By users we mean end-users, ie, users on your server?
> 
> There is no difference. I know of a lot of "production" environments
> which still do use much older systems. E.g. I've already mentioned
> SLES and RHEL.
> 
> "up to date" is the keyword here. E.g. squeeze is still supported
> but it's openssl doesn't support TLSv1.2. And even if it would be
> EOL, I would like it, if I would have the freedom to choose myself,
> when I stop using it.
> 
> Some people just don't want to buy a new phone every year. And there
> are many legitimate reasons to refuse upgrading a phone, pc or
> whatever to the latest available software versions.
> 
> >Your server is surely in production, isn't it?
> >
> > Production means "deployed for everyday use", in my mind.
> >
> 
> Sure, therefor I'm here and speak against the requirement for
> TLSv1.2. The manifesto sounds like it might be a good idea to
> enforce that requirement on the S2S too, and that clearly isn't what
> should be done in my opinion.
> 
> I now could start to talk about the questionable requirement for
> "trusted" certificates (whatever that should be) or DNSSEC (which I
> see as a red button in the hand of a foreign, not that friendly,
> government, which for sure doesn't care about me), but I think it's
> better not to start such a discussion here.
> 
> I already seem to be pretty alone with letting the user choose  what
> he thinks he needs (I'm pretty in support of encouraging strong
> encryption, just not of _requiring_ it, at least not now).
> 
> >In any case, the attack vector here isn't that the NSA or GCHQ are
> >targetting you specifically. It's that they're targetting everyone, and
> >keeping that information around in case they need it later. This is why
> >we're suggesting encrypting everything, and with PFS, so that it's
> >worthless, and so they *need* to target you to snoop on you.
> 
> I know that all that (don't misinterpret the fact that I've
> forgotten that DH is supported by openssl since a long time), but I
> wouldn't use my server for any communication I want to be secret. At
> least not for stuff which isn't p2p encrypted (and XMPP usually is
> not).
> 
> Regards,
> 
> Alexander Holler

Hi,
I might have misunderstood, but it seems that you are mostly against
draft-saintandre-xmpp-tls, rather than the points stated in this
manifesto, as it is only a manifesto. The manifesto only creates
requirements for people that sign it; the only requirement for
interoperability is that your server, to be compatible with the ones
that sign the manifesto, must support s2s encryption and a FS suite
(although I agree that allowing servers to *require* FS might be
a little strong).

On updating software/hardware, I think it is reasonable to assume that
anything that runs today is able to negociate TLSv1, which I consider
the baseline. The manifesto says that software that endorses it must
be able to negociate and prefer TLSv1.2; I consider that as *new
versions* of the software, on an up-to-date system. We can’t
realistically have every XMPP software bundling its own recent OpenSSL
because debian is stable.

As someone who runs his own XMPP service, I won’t ever have a “trusted
certificate” as a matter of principles, but I don’t see what would impact
me in other people signing this manifesto.

In my opinion, the manifesto is, for software, to kill SSLv2 and SSLv3
for good, and provide security sane defaults that can be changed. For
deployments, it’s more about upgrading the network, which security
properties haven’t been updated in a while, and to provide a set of
quality guarantees for a large number of public XMPP services.

A bit of off-topic, but out of curiosity, what would you use for a
communication you want to keep secret? I think that’s precisely what
a personal server is for.

Regards

-- 
Mathieu Pasquet (mathieui)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <https://www.jabber.org/jdev/attachments/20131107/cc7453e4/attachment.pgp>

More information about the JDev mailing list