💾 Archived View for gem.benscraft.info › mailing-list › threads › 178 captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
- text at sdfeu.org
@ Thu, 08 Apr 2021 19:59 +0000
In reply to
────────────────────────────────────────────────────────────────────────────────
On Thu, 08 Apr 2021 16:59:31 +0000, nervuri wrote:
On Wed, 2021-04-07, Sean Conner wrote:
> Also, stats [1] show that some 21% of Gemini sites still use TLS 1.2.
> Personally, I think that once this falls below 5% (or greater than 95%
> of all sites support TLS 1.3) we can revisit this decision.
Also, if the actual blocker is the percentage of servers and clients
supporting TLS 1.3, then that's what the specification should say,
rather than referring to libraries. It can be vague, like:
TLS 1.2 is reluctantly permitted until TLS 1.3 support is more
widespread among Gemini servers and clients.
The minimum required TLS version is 1.2,
but clients who wish to be "ahead of the curve" MAY
refuse to connect to servers using TLS version 1.2.
Could we even formulate without specifying version numbers, not knowing
which version Gemini should be using in like a decade? Somewhat along:
Servers and clients must use TLS. The current (stable) TLS version should
be supported; the next lower version may be supported as long as
a) this lower version is not [commonly] considered insecure [by whom?]
and
b) the majority of [common] TLS libraries do not [yet] support the
current TLS version in the libraries' stable versions.
Not too sure about a) and the "common" parts, though.
Thx
════════════════════════════════════════════════════════════════════════════════
- Benjamin Cronin <bcronin720 at gmail.com>
@ Thu, 08 Apr 2021 22:05 -0400
In reply to text at sdfeu.org
────────────────────────────────────────────────────────────────────────────────
Perhaps it could mention something about published vulnerabilities or
crackability with consumer hardware, as a response to the [by whom?] that
nervuri mentions here.
I think library support is also important to make sure that any
implementations are done well and that people aren't trying to rush a
standard without proper support, leading to more bugs and opportunities for
malicious attacks.
- Entflammen
On Thu, Apr 8, 2021 at 4:00 PM <text@sdfeu.org> wrote:
On Thu, 08 Apr 2021 16:59:31 +0000, nervuri wrote:
> On Wed, 2021-04-07, Sean Conner wrote:
>> Also, stats [1] show that some 21% of Gemini sites still use TLS 1.2.
>> Personally, I think that once this falls below 5% (or greater than 95%
>> of all sites support TLS 1.3) we can revisit this decision.
>
> Also, if the actual blocker is the percentage of servers and clients
> supporting TLS 1.3, then that's what the specification should say,
> rather than referring to libraries. It can be vague, like:
>
> TLS 1.2 is reluctantly permitted until TLS 1.3 support is more
> widespread among Gemini servers and clients.
> The minimum required TLS version is 1.2,
> but clients who wish to be "ahead of the curve" MAY
> refuse to connect to servers using TLS version 1.2.
Could we even formulate without specifying version numbers, not knowing
which version Gemini should be using in like a decade? Somewhat along:
Servers and clients must use TLS. The current (stable) TLS version should
be supported; the next lower version may be supported as long as
a) this lower version is not [commonly] considered insecure [by whom?]
and
b) the majority of [common] TLS libraries do not [yet] support the
current TLS version in the libraries' stable versions.
Not too sure about a) and the "common" parts, though.
Thx
════════════════════════════════════════════════════════════════════════════════