Re: IETF mail server and SSLv3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Mar 3, 2016, at 1:33 AM, Randy Bush <randy@xxxxxxx> wrote:
> 
> i expect that, at least for the rest of my career, there will always be
> stronger and weaker crypto.  and we will repeatedly go through the pain
> of purging the [then] weak, with folk screaming about compatibility with
> doors 2005.

The way I see it for opportunistic TLS in general, and Postfix specifically,
is that the sensible approach is to prune the deadwood once it is no longer
useful for interoperability except with a theoretical, but in practice negligible
to non-existent minority of peers.  That is, once removing obsolete 
and week crypto has no practical negative consequences, we should just do it.

What makes this possible is widespread adoption of better alternatives, at
which point algorithm agility (often derided in some circles) makes it
possible to move on.

At this point SSLv2, SSLv3, EXPORT ciphers and single DES are disabled in
Postfix by default.  It is sensible for ietf.org to apply similar settings.

-- 
	Viktor.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]