Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
Content-Type: multipart/signed;
 boundary="Apple-Mail=_88F0D75F-E9F2-4A18-A090-EADA9C5343B6";
 protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: SSL Policy Definitions
Date: Wed, 3 May 2017 14:25:01 +0200
References: <95C9DA3A-CF68-413F-B620-4EE35B957A60@greenbytes.de>
 <ABC28625-A606-44BB-8B00-E2DD55F84253@sharp.fm>
To: dev@httpd.apache.org
In-Reply-To: <ABC28625-A606-44BB-8B00-E2DD55F84253@sharp.fm>
Message-Id: <FD49785A-AA3C-44AF-A727-8BE5D07D357E@webweaving.org>
archived-at: Wed, 03 May 2017 12:25:45 -0000


--Apple-Mail=_88F0D75F-E9F2-4A18-A090-EADA9C5343B6
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_FE18D173-F299-4C15-9E95-3C7AC7DD61B0"


--Apple-Mail=_FE18D173-F299-4C15-9E95-3C7AC7DD61B0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On 3 May 2017, at 14:09, Graham Leggett <minfrin@sharp.fm> wrote:
>=20
> On 03 May 2017, at 2:01 PM, Stefan Eissing =
<stefan.eissing@greenbytes.de> wrote:
>=20
>> We seem to all agree that a definition in code alone will not be good =
enough. People need to be able to see what is actually in effect.
>=20
> I think we=E2=80=99re overthinking this.
>=20
> We only need to document the settings that SSLSecurityLevel has =
clearly in our docs, and make sure that "httpd -L=E2=80=9D prints out =
the exact details so no user need ever get confused.
>=20
>> If we let users define their own classes, it could look like this:
>=20
> Immediately we=E2=80=99ve jumped into functionality that is beyond =
Mr/Mrs Normal.

Agreed. If our default is simply =E2=80=98industry best practice=E2=80=99 =
(i.e. what we say it is*) =E2=80=94 then Normal will be the new black.

And everyone else is still in the same boat - i.e. having to specify it =
just like they do today.

All that requires it to make the defaults sane.

Dw.

*: exceed NIST and https://www.keylength.com/ =
<https://www.keylength.com/> for 5+ years, PFS, A or better at SSLLabs. =
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Pract=
ices =
<https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Prac=
tices>


--Apple-Mail=_FE18D173-F299-4C15-9E95-3C7AC7DD61B0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On 3 May 2017, at 14:09, Graham Leggett &lt;<a =
href=3D"mailto:minfrin@sharp.fm" class=3D"">minfrin@sharp.fm</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div class=3D""><div =
class=3D"">On 03 May 2017, at 2:01 PM, Stefan Eissing &lt;<a =
href=3D"mailto:stefan.eissing@greenbytes.de" =
class=3D"">stefan.eissing@greenbytes.de</a>&gt; wrote:<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D"">We seem to all agree =
that a definition in code alone will not be good enough. People need to =
be able to see what is actually in effect.<br class=3D""></blockquote><br =
class=3D"">I think we=E2=80=99re overthinking this.<br class=3D""><br =
class=3D"">We only need to document the settings that SSLSecurityLevel =
has clearly in our docs, and make sure that "httpd -L=E2=80=9D prints =
out the exact details so no user need ever get confused.<br class=3D""><br=
 class=3D""><blockquote type=3D"cite" class=3D"">If we let users define =
their own classes, it could look like this:<br class=3D""></blockquote><br=
 class=3D"">Immediately we=E2=80=99ve jumped into functionality that is =
beyond Mr/Mrs Normal.<br class=3D""></div></div></blockquote></div><br =
class=3D""><div class=3D"">Agreed. If our default is simply =E2=80=98indus=
try best practice=E2=80=99 (i.e. what we say it is*) =E2=80=94 then =
Normal will be the new black.</div><div class=3D""><br =
class=3D""></div><div class=3D"">And everyone else is still in the same =
boat - i.e. having to specify it just like they do today.</div><div =
class=3D""><br class=3D""></div><div class=3D"">All that requires it to =
make the defaults sane.</div><div class=3D""><br class=3D""></div><div =
class=3D"">Dw.</div><div class=3D""><br class=3D""></div><div =
class=3D"">*: exceed NIST and&nbsp;<a href=3D"https://www.keylength.com/" =
class=3D"">https://www.keylength.com/</a>&nbsp;for 5+ years, PFS, A or =
better at SSLLabs.&nbsp;<a =
href=3D"https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Be=
st-Practices" =
class=3D"">https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment=
-Best-Practices</a></div><div class=3D""><br =
class=3D""></div></body></html>=

--Apple-Mail=_FE18D173-F299-4C15-9E95-3C7AC7DD61B0--

--Apple-Mail=_88F0D75F-E9F2-4A18-A090-EADA9C5343B6
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.30

iQCVAwUBWQnMITGmPZbsFAuBAQiCXwP9FfKGc8nZrer9dhAdTs+qjD9RydcCp9XC
uXj+Rb/fm0cjAioL3w9LEMUOk1yHMU93x4hlTShi/3mqHVZijzjhKbjxqdmffu81
7Cw8Zu9Rl7AFdV69hhPJaBun5pqXYmfn/tVR4Ww4L+OXcoJGPsrsiyufoDRq6h0l
RSic4IKczx8=
=4zRW
-----END PGP SIGNATURE-----

--Apple-Mail=_88F0D75F-E9F2-4A18-A090-EADA9C5343B6--