proposed text for crypto-policies in Packaging Guidelines

Eric H. Christensen sparks at fedoraproject.org
Fri Aug 8 14:30:01 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Fri, Aug 08, 2014 at 04:11:51PM +0200, Reindl Harald wrote:
> Am 08.08.2014 um 15:44 schrieb Eric H. Christensen:
> > On Fri, Aug 08, 2014 at 03:36:51PM +0200, Reindl Harald wrote:
> >> Am 08.08.2014 um 15:21 schrieb Nikos Mavrogiannopoulos:
> >>> Postfix is a different kind of beast though. It does not typically use
> >>> TLS, but uses some kind of opportunistic security that allows anonymous
> >>> ciphersuites. So it's a bit hard to enforce anything there, as
> >>> man-in-the-middle attacks are possible by design
> > 
> >> and keep in mind in case of opportunistic TLS if you restrict
> >> ciphers and the SMTP client don't support what you offer it
> >> falls back to completly plaintext which defeats the intention
> > 
> > Falling back to an insecure cipher only provides a false sense of security 
> > which isn't any better than plaintext.
> 
> you *can not* enforce ciphers for opportunistic TLS - period
> because that is the nature of *opportunistic*

I agree with your assessment, however, ordering the ciphers that are to be used can still be done.

- -- Eric

- --------------------------------------------------
Eric "Sparks" Christensen
Red Hat, Inc - Product Security

sparks at redhat.com - sparks at fedoraproject.org
097C 82C3 52DF C64A 50C2  E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJT5N7mAAoJEB/kgVGp2CYvFB4L/j6bNlGgY12T/cTwNFMldd6v
5Zj4THpxKmKg/Mp08Q21XAucZJIL0nkaNBCaidJKkjH+h/jwq02nZ500/a9m/spJ
QbSt1oRX47weFs/VX3mv1RPL8xIGxhJUmmhJRFPMdiwo+sEX2koiLyKRnbmt9CYM
rkh2tihNV3XEScY0N8xxZBtU0dv586ceDzfmnP502mmpnIBsPupZCTbSlpZiNfmC
AJNITgNqmb7bzjw/MFyrmHr0oq6ve/3bs5pAn0NZRahubhKtNeMQMuZosDLFyekW
5+dVbTFTSPx8dhl7lcGK9W2zCStcrjeNLyX0ypzgQy6Lx9/QOnLl/HasiP5KS1C5
kVEzOuWPCb5KH+UeToylq9ISoC+85oRRL+tNHdbAd+ZhT88tnYI0lNbd5A4wPoAs
6rxsf3Xnh3YRDrZPVf1KYGUV5CExMc0ff3livfjp/xvhq0ZcjC+lyYM5yAoUSWUX
tBX9HldTipHgWJ2FCMvzdl1pj9/I+7hoUuHqBBtW6g==
=b7I4
-----END PGP SIGNATURE-----

More information about the security mailing list