From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: "Stephen J. Turnbull" Newsgroups: gmane.emacs.devel Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. Date: Tue, 28 Oct 2014 02:17:00 +0900 Message-ID: <8738a95t6b.fsf@uwakimon.sk.tsukuba.ac.jp> References: <20141022193441.GA11872@roeckx.be> <87zjcnj2k6.fsf@trouble.defaultvalue.org> <87mw8mzmxj.fsf@mid.deneb.enyo.de> <20141023143702.3897e618@jabberwock.cb.piermont.com> <8761fazkx7.fsf@mid.deneb.enyo.de> <20141023145721.12ed0820@jabberwock.cb.piermont.com> <87vbnay5lf.fsf@mid.deneb.enyo.de> <20141023154223.45f2c9eb@jabberwock.cb.piermont.com> <874muuihjh.fsf@uwakimon.sk.tsukuba.ac.jp> <20141023230048.13f8234a@jabberwock.cb.piermont.com> <87wq7pgpif.fsf@uwakimon.sk.tsukuba.ac.jp> <20141024171421.78720abe@jabberwock.cb.piermont.com> <87r3xxgmx2.fsf@uwakimon.sk.tsukuba.ac.jp> <20141024204202.276dbb1f@jabberwock.cb.piermont.com> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Trace: ger.gmane.org 1414430280 17878 80.91.229.3 (27 Oct 2014 17:18:00 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 27 Oct 2014 17:18:00 +0000 (UTC) Cc: Florian Weimer , emacs-devel@gnu.org, rms@gnu.org, Rob Browning , kurt@roeckx.be To: "Perry E. Metzger" Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Oct 27 18:17:50 2014 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1XinvP-000409-7L for ged-emacs-devel@m.gmane.org; Mon, 27 Oct 2014 18:17:47 +0100 Original-Received: from localhost ([::1]:35034 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XinvO-0007oG-NQ for ged-emacs-devel@m.gmane.org; Mon, 27 Oct 2014 13:17:46 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:54320) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xinv0-0007cq-4Y for emacs-devel@gnu.org; Mon, 27 Oct 2014 13:17:29 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xinus-0004dw-MF for emacs-devel@gnu.org; Mon, 27 Oct 2014 13:17:22 -0400 Original-Received: from shako.sk.tsukuba.ac.jp ([130.158.97.161]:60441) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xinus-00045g-Ci; Mon, 27 Oct 2014 13:17:14 -0400 Original-Received: from uwakimon.sk.tsukuba.ac.jp (uwakimon.sk.tsukuba.ac.jp [130.158.99.156]) by shako.sk.tsukuba.ac.jp (Postfix) with ESMTP id 3F7D51C3AC2; Tue, 28 Oct 2014 02:17:01 +0900 (JST) Original-Received: by uwakimon.sk.tsukuba.ac.jp (Postfix, from userid 1000) id 054F61A27CF; Tue, 28 Oct 2014 02:17:00 +0900 (JST) In-Reply-To: <20141024204202.276dbb1f@jabberwock.cb.piermont.com> X-Mailer: VM undefined under 21.5 (beta34) "kale" acf1c26e3019 XEmacs Lucid (x86_64-unknown-linux) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 130.158.97.161 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:175898 Archived-At: Perry E. Metzger writes: > There are ways to provide compatibility without sacrificing security, > however. Read our papers or our (redacted) recommendations to law > enforcement if you wish. How many of those law enforcement agencies immediately acted on your recommendations? How many still use P25 with unencrypted fallback? > I think that removing SSL 3.0 support is not an "extreme measure" and > leaving it in isn't "balanced" at this point. While my credentials in security aren't anywhere near as good as yours, unfortunately, you are obviously an extremist (note: not "alarmist") so claims that policies you advocate aren't extreme won't wash. They may nevertheless be correct, but I'd rather hear arguments to that effect Or better yet, see the experiment with the default switched to refuse to do SSL 3.0, and actual removal scheduled for the next release. > TLS 1.0 has been around for a very long time. If you want to argue > that removing TLS 1.0 and 1.1 support is a bad idea since support > has only become 100% universal in the last several years, you have a > case to make -- perhaps it should be another few years until those > are deprecated. Then again, I never suggested removing them right > now. Mac OS X Yosemite still delivers OpenSSL libraries with 0.9.8. > If, on the other hand, you want to argue that getting rid of SSL 3.0 > is a problem at this point, then you are arguing de facto that bad > protocols can *never* be removed, You can catch lots of flies with that kind of horse manure, but you aren't going to catch agreement by putting words in others' mouths. > and that causing minor inconvenience to a handful of users is far > more important than security. What's your evidence that the inconvenience in using Emacs is minor and the Emacs users affected are a handful?