Re: Schedule for Monday's FESCo Meeting (2021-08-23)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 27, 2021 at 6:28 PM przemek klosowski via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>
> On 8/25/21 4:54 AM, Alexander Sosedkin wrote:
>
> It's not ideal if one obsolete website forces downgrading the security
> potentially for all the connections. I hope 5) is addressing that.
>
> That's something apps and only apps can handle.
>
> Well, but if the system policy says that TLS1.0 is banned, the only way for the app to downgrade would be if it had its own TLS stack, right?

The right way is to make the library provide an API that overrides
these defaults, and the application to call that API when it's
confident it should deviate from the distribution defaults.
The current way is that some libraries allow such overriding and some don't.

> I do realize that the current policy mechanism is not designed for narrow deviations, I am just pointing out that it's not ideal because in practice people downgrade because they need narrow deviations for specific connections, and as you well know, relaxing the rules for all connections opens the door to downgrade attacks even on the connections that are capable of TLS2.0.
>
> I am asking if there is another way, for instance by having a per-interface policies, and setting up the relaxed rules for an interface that routes traffic to this one deficient remote endpoint.

It'd be very interesting, hard, and abstraction-permeating to make
crypto library configuration depend on endpoints or interfaces, but
this is definitely something that should start from within either apps
or crypto libraries themselves. crypto-policies is the furthermost
component away from things like interfaces and endpoints.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux