On 01/13/2014 11:38 AM, Didier 'OdyX' Raboud wrote: > That would be quite a bold move to take. The one aspect that puzzles me > most is: in which ways "no TLS security" is better than "incompletely > secure TLS"? if the only axis we're measuring along is cryptographic security, then protecting against passive attackers (eavesdroppers) is clearly better than not doing so. but if people think that CUPS' TLS protects them against active attackers, and they use that to do things like send confidential information over the link, they have been lulled into a false sense of security. And: cryptographic security is not the only axis we should be measuring on. The other axis is difficulty of license compliance, and CUPS licensing is currently in a state that i would consider it difficult to ship effectively with any sort of well-maintained cryptographic support and remain in compliance with all the relevant licenses. Does this make CUPS less useful than it used to be? Is this a regression? yes, and yes. That's why we should try to get one project (either CUPS or GMP) to change their licensing to fix the issue rather than trying to get dozens of projects to change their licensing. Alternately, does anyone know anyone from the polarssl community who we could cajole into patching that TLS implementation into CUPS? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature