[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The netsec thread
|
From: |
Jimmy Yuen Ho Wong |
|
Subject: |
Re: The netsec thread |
|
Date: |
Mon, 23 Jul 2018 16:22:28 +0100 |
>> The reason I need glob is IGTF's fetch-crl will put ~100s CRL PEM
>> files into the file system, it's very cumbersome to specify them
>> 1-by-1.
>
> What's IGTF?
>
The only way that I know of where you can get a set of CRL in PEM
without writing a program. It's availble in every Debian distro as
igtf-policy-bundle or something like it.
https://www.igtf.net/
>> Sorry I got lost in that giant thread.
>> `gnutls_dh_set_prime_bits` is only deprecated on GnuTLS 3.1.7+. Are we
>> dropping support for all version < 3.1.7? I'd be super happy to do it
>> if that's the case and remove this var and the C code entirely.
>
> Sure, but making it obsolete won't mean that we drop anything until,
> like, 2023, and by then GnuTLS will be up to 5.4.13.
>
I take this means removing the related code entirely but not declare
in the NEWS file like 26.1 that we are now requiring GnuTLS >= 3.1.7.
Sounds good to me.
>
> But mentioning "Snowden" doesn't really help, either. I think most
> people understands that "low security" means, like, not very secure, and
> that's sufficient.
>
Fine by me. So, go back to the original wording and just checks the
certs and fingerprints on low is what you are saying?
>>> Calling protocol checks "TLS" checks isn't future proof. We've
>>> already had one politically motivated name change (from SSL to TLS)
>>> and we may have another. And besides, many of these checks are also
>>> valid for SSL, so it's just confusing.
>>
>> The TLS working group wasn't even willing to call TLS 1.3[1] TLS 2.0
>> even when it's a major departure from it. I doubt we need to worry
>> about extra work to change a name. YAGNI applies.
>
> There is no extra work, because we shouldn't call the functions
> something containing "tls".
>
But that's not what you argue for originally. I can drop the `-tls-`
bit if that makes that part of the shed more palettable.
>> `nsm-tls-checks` is already a defcustom. It's super easy to add and
>> remove a function. You can defun whatever name you want and add to it,
>> and click [-] to remove. Using name mangling magic to fish out a check
>> function makes defcustom super-awkward, and AFAIK, no other emacs core
>> setting does it this way.
>
> There's a bunch of "feature" setting that do not include full function
> names.
>
???
- Re: The netsec thread, (continued)
- Re: The netsec thread, Eli Zaretskii, 2018/07/23
- Re: The netsec thread, Jimmy Yuen Ho Wong, 2018/07/23
- Re: The netsec thread, Robert Pluim, 2018/07/23
- Re: The netsec thread, Jimmy Yuen Ho Wong, 2018/07/23
- Re: The netsec thread, Robert Pluim, 2018/07/23
- Re: The netsec thread, Eli Zaretskii, 2018/07/23
- Re: The netsec thread, Robert Pluim, 2018/07/23
- Re: The netsec thread, Lars Ingebrigtsen, 2018/07/23
- Re: The netsec thread,
Jimmy Yuen Ho Wong <=
- Re: The netsec thread, Lars Ingebrigtsen, 2018/07/23
- Re: The netsec thread, Jimmy Yuen Ho Wong, 2018/07/23
- Re: The netsec thread, Noam Postavsky, 2018/07/23
- Re: The netsec thread, Lars Ingebrigtsen, 2018/07/23
- Re: The netsec thread, Andreas Schwab, 2018/07/23
Re: The netsec thread, Jimmy Yuen Ho Wong, 2018/07/20