Message150086
Regarding the mainteneance i expect that, if we make a future-proof choice, it would take at least 5 years before that someone will need to have other ciphers added.
Consider that a new cipher is standardized once every X year, and typically, if it get diffused/adopted (and not abbandoned or marginally used), it will happen in few other years.
The new ciphers will get into OpenSSL, so the proposed approach to:
- Start from default
- Disable anything that's
- Unsecure/Weak
- Not used/widely used
Would still means that, when OpenSSL library will add a new cipher because a new RFC will get out, for sure it will not be unsecure/weak. There are chance that it will not get used/widely used, in that case in some other year, we'll update the default disabled ciphers.
But such approach would provide very "low maintenance" because "not doing anything" can only create a situation where "more ciphers" get added by default (included in newer OpenSSL / new TLS RFC).
But those new ciphers will not be weak, even if not maintained. |
|
Date |
User |
Action |
Args |
2011-12-22 10:51:07 | naif | set | recipients:
+ naif, gregory.p.smith, jcea, pitrou, vstinner |
2011-12-22 10:51:07 | naif | set | messageid: <1324551067.4.0.411551629216.issue13636@psf.upfronthosting.co.za> |
2011-12-22 10:51:06 | naif | link | issue13636 messages |
2011-12-22 10:51:06 | naif | create | |
|