[Development] RFC: Managing the Addition of New SSL Backends
Richard Moore
rich at kde.org
Sun May 4 13:28:15 CEST 2014
On 3 May 2014 22:42, Thiago Macieira <thiago.macieira at intel.com> wrote:
> Em sáb 03 maio 2014, às 22:23:30, Richard Moore escreveu:
> > Simplifying the Cipher API
> > ==========================
> >
> > Currently, the QSslCipher API is pretty large. It's not simply the
> > code in the QSslCipher class itself, but also all the stuff in the
> > QSslConfiguration that defines the preferences. Instead, we could
> > offer a simplified API that all backends must offer. So, for example
> > we could have something as simple as High, Medium and Low! After all,
> > most people (including developers) don't know the trade-offs of the
> > different cipher suites anyway. We could also have a flag for perfect
> > forward secrecy since that is independent of the strength. It would
> > also be possible to have a setting like FIPS for people who care about
> > that.
>
> High, Medium and Low convey no meaning. Why should I choose "low security"?
>
>
What I was thinking was that this would specify if weak ciphers etc. should
be enabled. In general you'd end up with the strongest cipher the server
supports anyway, but if you'd set the security to 'low' then you'd be able
to connect to servers that only support low strength ciphers. ie. this
would be a setting for the minimum acceptable cipher strength.
> I'd say that we should either provide no choice in choosing the ciphers,
> or at
> most provide certain implementation details like allowing or disallowing
> ciphers without perfect forward secrecy and a choice of ciphers that are
> FIPS-
> certified.
>
>
That would be possible, yeah.
Rich.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20140504/a8956b45/attachment.html>
More information about the Development
mailing list