Message 150086 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	naif
Recipients	gregory.p.smith, jcea, naif, pitrou, vstinner
Date	2011-12-22.10:51:06
SpamBayes Score	3.0022602e-06
Marked as misclassified	No
Message-id	<1324551067.4.0.411551629216.issue13636@psf.upfronthosting.co.za>
In-reply-to

Content
Regarding the mainteneance i expect that, if we make a future-proof choice, it would take at least 5 years before that someone will need to have other ciphers added. Consider that a new cipher is standardized once every X year, and typically, if it get diffused/adopted (and not abbandoned or marginally used), it will happen in few other years. The new ciphers will get into OpenSSL, so the proposed approach to: - Start from default - Disable anything that's - Unsecure/Weak - Not used/widely used Would still means that, when OpenSSL library will add a new cipher because a new RFC will get out, for sure it will not be unsecure/weak. There are chance that it will not get used/widely used, in that case in some other year, we'll update the default disabled ciphers. But such approach would provide very "low maintenance" because "not doing anything" can only create a situation where "more ciphers" get added by default (included in newer OpenSSL / new TLS RFC). But those new ciphers will not be weak, even if not maintained.

Regarding the mainteneance i expect that, if we make a future-proof choice, it would take at least 5 years before that someone will need to have other ciphers added.

Consider that a new cipher is standardized once every X year, and typically, if it get diffused/adopted (and not abbandoned or marginally used), it will happen in few other years.

The new ciphers will get into OpenSSL, so the proposed approach to:
- Start from default
- Disable anything that's
  - Unsecure/Weak
  - Not used/widely used

Would still means that, when OpenSSL library will add a new cipher because a new RFC will get out, for sure it will not be unsecure/weak. There are chance that it will not get used/widely used, in that case in some other year, we'll update the default disabled ciphers.

But such approach would provide very "low maintenance" because "not doing anything" can only create a situation where "more ciphers" get added by default (included in newer OpenSSL / new TLS RFC).

But those new ciphers will not be weak, even if not maintained.

History
Date	User	Action	Args
2011-12-22 10:51:07	naif	set	recipients: + naif, gregory.p.smith, jcea, pitrou, vstinner
2011-12-22 10:51:07	naif	set	messageid: <1324551067.4.0.411551629216.issue13636@psf.upfronthosting.co.za>
2011-12-22 10:51:06	naif	link	issue13636 messages
2011-12-22 10:51:06	naif	create