[Freedombox-discuss] CAs and cipher suites for cautious servers like FreedomBox
Jonas Smedegaard
dr at jones.dk
Thu Sep 12 09:10:36 UTC 2013
Which TLS certificate authorities (CA) should we trust?
Which cipher suites should we tolerate?
Ideally the answers are "none" and "only strong ones". But what is more
relevant to discuss is *realistic* answers (we can then tighten in later
revisions):
Which CAs and cipher suites are sensible to use - for now?
I imagine there is no "one size fits all". That e.g. serving blog pages
should be more pragmatic about [legacy systems] than Plinth admin pages
or other [specific applications].
Would be nice if those knowledgeable about crypto could propose a
shortlist of purposes, and corresponding CAs and cipher suites.
We could use such shortlists to verify Plinth code, Apache setup,
ca-certificates package configuration etc.
Anyone knowledgeable about crypto that can help out?
- Jonas
[speficic applications]: The Guardian Project currently discuss choice
of cipher suites for OTR in their (smartphone) applications:
https://lists.mayfirst.org/pipermail/guardian-dev/2013-September/002504.html
[legacy systems]: CAcert.org discusses BEAST vs. RCA4 impacting MacOS X:
https://lists.cacert.org/wws/arc/cacert/2013-09/msg00002.html
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130912/f21cf434/attachment.sig>
More information about the Freedombox-discuss
mailing list