[Development] RFC: Managing the Addition of New SSL Backends
Thiago Macieira
thiago.macieira at intel.com
Sat May 3 23:42:16 CEST 2014
Em sáb 03 maio 2014, às 22:23:30, Richard Moore escreveu:
> Simplifying the Cipher API
> ==========================
>
> Currently, the QSslCipher API is pretty large. It's not simply the
> code in the QSslCipher class itself, but also all the stuff in the
> QSslConfiguration that defines the preferences. Instead, we could
> offer a simplified API that all backends must offer. So, for example
> we could have something as simple as High, Medium and Low! After all,
> most people (including developers) don't know the trade-offs of the
> different cipher suites anyway. We could also have a flag for perfect
> forward secrecy since that is independent of the strength. It would
> also be possible to have a setting like FIPS for people who care about
> that.
High, Medium and Low convey no meaning. Why should I choose "low security"?
I'd say that we should either provide no choice in choosing the ciphers, or at
most provide certain implementation details like allowing or disallowing
ciphers without perfect forward secrecy and a choice of ciphers that are FIPS-
certified.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
More information about the Development
mailing list