On Tue, Mar 03, 2026 at 01:58:12AM +0000, Stephen Farrell wrote:
>
>
> On 03/03/2026 01:36, Viktor Dukhovni wrote:
> > Users who want to deploy these groups will do so at their own risk,
> > we may as well be sure to document those risks.
>
> Minor note: I think "users" above is incorrect as people do not
> commonly pick ciphersuites or groups. I think you rather mean
> developers or those deploying systems. And that means a different
> set of tradeoffs in terms of what's acceptable or required, for
> actual users.
No, I really mean users. Sadly the Internet is infested with HOWOTO
guides with all sorts of "helpful" advice on how to configure your
systems to be more 'secure'. This means that in fact users (not browser
users, but non-developer operators of various systems) end up making all
sorts ill-advised tweaks to the default settings of various TLS-enabled
applications (MTAs, database clients and servers, IMAP servers, ...).
Sometimes of course developers also make controversial or poor choices,
they too are users in a sense (of the specification), but in many cases
when TLS is used in infrastructure, rather than in consumer apps for the
unwashed masses, various choices of cryptographic parameters are tweaked
from the application defaults by the users.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
