[jdev] manifesto 0.4
Yann Leboulanger
asterix at lagaule.org
Wed Oct 30 14:36:52 UTC 2013
On 10/30/2013 01:21 AM, Mathieu Pasquet wrote:
> On Tue, Oct 29, 2013 at 05:09:32PM -0600, Peter Saint-Andre wrote:
>>
>> I just updated the encryption manifesto to incorporate feedback and
>> clarify a few points:
>>
>> https://github.com/stpeter/manifesto/blob/master/manifesto.txt
>>
>> Your feedback (and signatures!) matter.
>>
>> Peter
>>
>> - --
>> Peter Saint-Andre
>> https://stpeter.im/
>>
>
> Hi,
>
> Before signing the manifesto as a software developer, there are
> a few things that are unclear and I’m not sure we can commit to
> this just yet:
>
> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was
> supported initially (doesn’t xmpp appear after SSLv3 was standardized?),
> but dropping SSLv3, while also a good idea, might cause issues with lots
> of servers (not naming legacy ejabberd or openfire under old debian or
> centos). Hopefully, we have some time to wake up some admins before the
> dates set in the manifesto, but I hope the test days will help
> troubleshooting the ones that don’t get the memo.
>
> Do we need, to be consistent, to disable the protocol but indicate to
> the user he will need to perform an extra action to be able to connect,
> or do we need to make the connection impossible in any case?
>
> I find the other points sensible, so I have nothing to add, except
> maybe separating clearly clients & server requirements.
I'd also would like some clarification about removing plain connection.
In some situation (you have a local server for ex) the server can allow
only non-secure connections to prevent memory consumption. So should we
really disable plain connection or just disable it by default, and
require some user advanced configuration to enable it?
--
Yann
More information about the JDev
mailing list