# [Ach] One request on committing to the repository

L. Aaron Kaplan kaplan at cert.at
Fri Nov 22 01:06:26 CET 2013

Hi,

Philipp, thanks for your commits in
https://git.bettercrypto.org/ach-master.git/commitdiff/bb3bcb346b58ae227e0534e070e7f1682044b024

While I see many great corrections and fixing of typos I have nevertheless two requests why I'd like to see this commit reverted for the moment (not for ever!)

1) In the future, please use individual commits instead of one big one where you changed a lot. This is much easier to compare and check (yes, I actually cross check every commit). But this is more of a formalism.

This is important:

2) We established a tradition here to really discuss cipher string recommendations.
So, please first discuss with us why you changed:

diff --git a/src/practical_settings.tex b/src/practical_settings.tex
index 67570b4..23bf018 100644 (file)
--- a/src/practical_settings.tex
+++ b/src/practical_settings.tex
@@ -22,7 +22,7 @@
# ALL subdomains HAVE TO support https if you use this!
# Strict-Transport-Security: max-age=15768000 ; includeSubDomains

-  SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
+  SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
\end{lstlisting}

(in short: you removed the "!SRP" part).
While your change might be 100% correct, great and we really made a mistake, it pays off to discuss this internally first. And in addition, this change should be verified against ssllabs.com.

So, Phillip, I reverted your commit temporarily with the intention to first re-discuss this before it finds its way into the final document, OK?
No bad intention, but I feel this commit needs to be discussed first.
Do you agree with that change in cipher string?

Don't worry, I will cherry pick from the other commits that you made (lots of good typo squatting changes etc) in the mean time. I mainly worry about the change in the cipher string.

a.

---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131122/12955864/attachment.sig>