Re: help needed on AskFedora: OpenSSLv3 error when connecting to Eduroam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

V Thu, Jun 30, 2022 at 10:46:27PM +0100, Richard W.M. Jones napsal(a):
> Practically what would help is an easier way to reduce security for
> only specific sites + protocols.  It's very easy right now to set the
> whole system to LEGACY, and much harder to set legacy for a specific
> site + protocol.  (In fact I have no idea how to go about it for this
> particular case we're talking about.)
> 
Cryptopolicy would work as a soft limit. Cryptolibraries would return
a distinct error INSECURE instead of UNKNOWN. Applications on the INSECURE
error would offer a user to override the cryptopolicy soft limit.

At the end cryptolibraries many times keep implementing the weak algorithms
because the algorithms might be strong enough for a different purpose (like
a digest vs. an HMAC), or the cryptopolicy gives a different security level
to different purposes (creating vs. verifying a signature), or because the
user is not interested in the cryptographical guarantees at all, he only wants
to unwrap the wanted data (e.g. reading an ancient digitally-signed message).

For the first and the last case cryptolibraries already provide a mean for
applications to convey an intent for, or a use of the algorithm. It's "only"
necessary to augment API of the libraries to support the intent parameter
everywhere.

Now cryptopeople will argue that users will learn to click "connect anyway"
all the time. Well, there will be users like that. But not everbody is like
that. I'd rather use a device which I can control than me to be controlled by
the device.

-- Petr

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux