<div dir="ltr">On Wed, Oct 30, 2013 at 12:21 AM, Mathieu Pasquet <span dir="ltr"><<a href="mailto:mathieui@mathieui.net" target="_blank">mathieui@mathieui.net</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br></div>
Before signing the manifesto as a software developer, there are<br>
a few things that are unclear and I’m not sure we can commit to<br>
this just yet:<br>
<br>
Dropping SSLv2 is all good and I’m not even sure why SSLv2 was<br>
supported initially (doesn’t xmpp appear after SSLv3 was standardized?),<br>
but dropping SSLv3, while also a good idea, might cause issues with lots<br>
of servers (not naming legacy ejabberd or openfire under old debian or<br>
centos). Hopefully, we have some time to wake up some admins before the<br>
dates set in the manifesto, but I hope the test days will help<br>
troubleshooting the ones that don’t get the memo.<br>
<br></blockquote><div><br></div><div>Well, I think you've answered your own question there. The manifesto sets out the aims, but I'm hoping that we're not so blinkered that we cannot adapt the rules as we go along. So if it turns out that - despite the IM Observatory's work so far - SSLv3 is essential for interop, and we cannot work with the affected sites to correct this, then we might revisit that.</div>
<div><br></div><div>Dave.</div></div></div></div>