Date: Mon, 8 Aug 2016 06:40:39 +1000 From: Peter Jeremy <peter@rulingia.com> To: Andrey Chernov <ache@freebsd.org> Cc: Bruce Simpson <bms@fastmail.net>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@freebsd.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r303716 - head/crypto/openssh Message-ID: <20160807204039.GB79784@server.rulingia.com> In-Reply-To: <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org> References: <201608031608.u73G8Mjq055909@repo.freebsd.org> <d419bddd-fe56-bc11-8965-142ca0b94ebc@fastmail.net> <9a01870a-d99d-13a2-54bd-01d32616263c@fastmail.net> <CAPQ4fftQ30_aqU8V_ea-WEKBdMZs5H9Rwxnfa0crid_df049nQ@mail.gmail.com> <b99c06ac-82d6-ccda-419c-2ece5be4636f@fastmail.net> <30e655d1-1df7-5e2a-fccb-269e3cea4684@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--v9Ux+11Zm5mwPlX6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2016-Aug-07 15:25:54 +0300, Andrey Chernov <ache@freebsd.org> wrote: >You should address your complains to original openssh author instead, it >was his decision to get rid of weak algos. No. It's up to the person who imported the code into FreeBSD to understand why the change was made and to be able to justify it to the FreeBSD community. Firstly, security is not absolute - it's always a cost-benefit tradeoff and different communities may make different tradeoffs. Secondly, the importer needs to be confident that the code is actually an improvement, not an attempt by a bad actor to undermine security. > In my personal opinion, if >your hardware is outdated, just drop it out. This is part of the cost-benefit analysis. Replacing hardware has a real cost. If it's inside a datacentre, where the management LAN is isolated =66rom the rest of the world, there may be virtually no benefit to disabling "weak" ciphers. >We can't turn our security >team into compatibility team, by constantly restoring removed code, such >code quickly becomes outdated and may add new security holes even being >inactive. OTOH, FreeBSD has a documented deprecation process that says things will continue working for a major release after being formally deprecated. I don't believe there was any mention about DSA being deprecated before now so I would expect there to be a clearly documented process to restore the ability for a FreeBSD-11 ssh client to talk to a server using 1024-bit DSA. Note that the handbook still talks about using DSA - that needs updating as well. --=20 Peter Jeremy --v9Ux+11Zm5mwPlX6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJXp5zHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0riEP/jyZzo/92LevADLenanKryEd iEoqO2qhnQW7iNh/+3nDM2tnV0jh3nhAE+47crlRas0ssBXc22OfkWUdpcx47iWR s2Y97WA7SovbzVawuDpxcWpMbZ5/XZfcibN7lFPCABZYPvFMf3XvLKLZWFy0qGFY YzXao4TNd+Kz6YnkIuoBEb04/Y9+bg7GnFbKPUVoCoeabMwuxCfpn4pq+nm7DvsI kF5Fkuzjl6zYDBygYgwDPXYQ9YGBod1QyJrZwBp4AjGPBCp4WboQSO/aK0eXXaXb 23Of4NiLW9sXYtfOTZ2fc2TldVe/+fCjIFsmcl+quFi7DZiEMvMM7u9O9g3hwLuP 3XaIvOsEMy24gpp/hEHVJyy4poPpqbgSVsMTo4xnJ0o+4bhCD768/VvHh2X4/YSe YbfgRwFv5/0kqVoVHO5YzurHtmeHgKNTWl/tn08XsgM4+0SkU1fkS4YAALL4Ehg4 a1HTAKOp7TEHb/0Lsks0k8VAI4PD7kXhLLVHVTqe1fCRGK9Dbn/MjUC+FDai2oPE QwujuQhKKwuvpjsT4SzJeRnDlI+tTuraKCUyLcVYKWEua775RQ3Y5+yBPA/vp0re 0sdD34BxS8/qocn01MkNBCQZLTL+vWIHSi0L2QD1Ue2THn3hE44SNXlOFAWX+osY vg6Mx+oxWyWM4Hy7Jf0z =bWRc -----END PGP SIGNATURE----- --v9Ux+11Zm5mwPlX6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160807204039.GB79784>