On Wed, Feb 12, 2025 at 7:53 PM Jack Bates <jba...@paradoxnetworks.net> wrote: > Most users don't have any idea and would allow an attacker to compromise > their bank connection if given the choice. The defaults are designed to > protect the majority?
I see no issue with the server user deciding that it won't converse with a client user beneath some level of cryptographic quality. The server operator has a reasonable idea how sensitive his information is. My bank shouldn't agree to talk to me with TLSv1.0. Same with the client user. He has a reasonable idea how much care he wants the data to be given. My qualm arises when a third party without any knowledge of the data denies one of the users the ability to meet the other at the other's lower cryptographic standard. This is damage to availability in a situation where a meaningful gain to confidentiality or integrity has not been demonstrated and may be demonstrably false. Such as the situations described upthread. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
