Quoting Hanno Rince' Wagner (2017-08-20 22:01:51) > On Fri, 18 Aug 2017, Tollef Fog Heen wrote: > > > I think you're wrong on this point, having Debian make this change makes > > it a lot easier for me to go to company management and explain that TLS > > v1.2 is the only way forward and that we need to spend engineering > > resources to make sure any users on platforms where support for that is > > lacking get a proper notification and a chance to move to something > > newer. «We need to do this because this change is coming, whether we > > want it or not.» > > If you need more "firepower" for management: The BSI (german > governmental organisation for security in information technology) has > guidelines regarding cryptography, see > > https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf > > They say in their technical guidelines that TLS 1.1 is not recommended > anymore and TLS 1.0 is not recommended at all. > SSLv2 and SSLv3 are not recommended. > > So, if managers want to have somewhere "officially" written that > TLS1.0 and 1.1 shouldn't be used anymore, this is a guideline I can > recommend. > > And IMHO we as debian should support all people going for stronger > encryption by enabling it as good as possible and make it default. If > someone wants or needs to use older ciphers, he should be able to, but > it shouldn't be default...
I believe noone in this thread disagree with _recommending_ only TLS 1.2 and that no services _should_ use anything else. Question is if Debian _force_ only TLS 1.2 so that no services _can_ use anything else. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
