Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

["Stephen J. Turnbull" <stephen@xemacs.org>]

Perry E. Metzger writes:

 > There are ways to provide compatibility without sacrificing security,
 > however. Read our papers or our (redacted) recommendations to law
 > enforcement if you wish.

How many of those law enforcement agencies immediately acted on your
recommendations?  How many still use P25 with unencrypted fallback?

 > I think that removing SSL 3.0 support is not an "extreme measure" and
 > leaving it in isn't "balanced" at this point.

While my credentials in security aren't anywhere near as good as
yours, unfortunately, you are obviously an extremist (note: not
"alarmist") so claims that policies you advocate aren't extreme won't
wash.  They may nevertheless be correct, but I'd rather hear arguments
to that effect

Or better yet, see the experiment with the default switched to refuse
to do SSL 3.0, and actual removal scheduled for the next release.

 > TLS 1.0 has been around for a very long time. If you want to argue
 > that removing TLS 1.0 and 1.1 support is a bad idea since support
 > has only become 100% universal in the last several years, you have a
 > case to make -- perhaps it should be another few years until those
 > are deprecated. Then again, I never suggested removing them right
 > now.

Mac OS X Yosemite still delivers OpenSSL libraries with 0.9.8.

 > If, on the other hand, you want to argue that getting rid of SSL 3.0
 > is a problem at this point, then you are arguing de facto that bad
 > protocols can *never* be removed,

You can catch lots of flies with that kind of horse manure, but you
aren't going to catch agreement by putting words in others' mouths.

 > and that causing minor inconvenience to a handful of users is far
 > more important than security.

What's your evidence that the inconvenience in using Emacs is minor
and the Emacs users affected are a handful?