Hi Jonas! On Sun, 20 Aug 2017, Jonas Smedegaard wrote: > I believe noone in this thread disagree with _recommending_ only TLS 1.2 > and that no services _should_ use anything else. Yes and no. This discussion is not wether _we_ want to use the new versions but wether the user wants to. And if you are using Debian within a company, there are usually rules like "it has to be the best experience for the customer" or so which would say enable everything and don't care about security. But if you have a company who wants to be state of the art in terms of security - and this doesn't mean from the technical point of view but from a management point of view, then you read such guidelines and take their recommendations seriously. Not because it is technically good but because some organisation wants to have it in their management language. These guidelines help you make your point valid for the management. > Question is if Debian _force_ only TLS 1.2 so that no services _can_ use > anything else. IMHO we should have the default at TLS 1.2, but be able to configure 1.0. But this has to be an opt-in value, not an opt-out. best regards, Hanno Wagner -- | Hanno Wagner | Member of the HTML Writers Guild | Rince@IRC | | Eine gewerbliche Nutzung meiner Email-Adressen ist nicht gestattet! | | 74 a3 53 cc 0b 19 - we did it! | Generation @ | #"Das liegt wohl daran, dass du bei DOS "limit memory to lower 1MB" # eingestellt hast (wie alle Leute)." -- Gerhard Wesp in de.comp.os.linux
Attachment:
signature.asc
Description: PGP signature