azet at azet.org
Mon Jun 1 12:32:37 CEST 2015
I've waited a bit for others to state the obvious.
> How does their project compare to the BetterCrypto project? Can we shut
> up shop now that the IETF is in the game? Is there a very different
> purpose? Or are they just faffing around in committee again...
> Does the RFC format help? I would have thought the notion of publishing
> an RFC was strictly wrong because security is an arms race and only a
> dynamic document process can help.
> How did their work compare to BetterCrypto's advice? Was there anything
> in there that we didn't know? Is there anything they didn't know?
> Is their advice useful to ... whom? sysadms? Implementors? Designers?
> I gave it a quick skim and it seemed to be rather ... useless to
> sysadms for example.
I think the RFC is an important point-in-time document regarding TLS
security. This document won't give advise on how to configure various
services though. It's not exactly aimed at the sysadmin. It is a BCP we
should all follow and the similarities to bettercrypto are no
coincidence. Others and myself have contributed to that document. I'm
still a bit unhappy that TLS 1.0 didn't get a "MUST NOT negotiate" in
the process. But all-in-all this is an excellent BCP. I don't think it
makes our efforts null; these are two different objectives after all. OR
maybe the same objective on different levels of expertise. I don't
expect sysadmins to read BCPs (they should though).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the Ach