From: Wouter Verhelst <w@uter.be>
To: Alex Bligh <alex@alex.org.uk>
Cc: "nbd-general@lists.sourceforge.net"
<nbd-general@lists.sourceforge.net>,
"Daniel P. Berrange" <berrange@redhat.com>,
"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [Nbd] [PATCHv3] Improve documentation for TLS
Date: Sat, 9 Apr 2016 13:38:11 +0200 [thread overview]
Message-ID: <20160409113811.GT19023@grep.be> (raw)
In-Reply-To: <7E2CCD80-B06D-4F69-87C2-49F703545E00@alex.org.uk>
On Sat, Apr 09, 2016 at 12:21:03PM +0100, Alex Bligh wrote:
> An alternative route would be to delete OPTIONALTLS, and make some of
> the MUST requirements in SELECTIVETLS say "MUST xyz unless there are
> no TLS-only exports". However, this makes it rather harder to read,
> so I described that case as a separate mode.
I understand now.
However, although I disagree with Daniel on the idea of having a server
which can (in the same process) support both TLS-enabled and
non-TLS-enabled exports, I do agree with him that what you call
OPTIONALTLS is a bad idea, and that it should be discouraged.
Mentioning that option explicitly is counter to that goal, and I would
therefore prefer that you not add it.
Also, while we try to negotiate the protocol in such a way that things
remain compatible between implementations who implement a disjoint set
of features from the protocol, I think the long-term goal should be that
STARTTLS and INFO are supported by all implementations (or at least,
that INFO is). In that context, explicitly explaining (in much detail)
what happens when a client doesn't support INFO but does support
STARTTLS seems contraproductive.
So I'd just drop optional.
> >> I'd be all for that. Or certainly "SHOULD NOT support LS versions older
> >> than 1.2 by default"
> >
> > Or that. The point is that doing TLS < 1.2 is stupid, especially for a
> > new protocol, so I think we should make it explicit that clients should
> > not try that save in exceptional circumstances.
>
> +1. Do you want to ping me when you have had a chance to review v5 and
> I will collate all of these in to a v6?
I have, but did not have any further comments.
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
next prev parent reply other threads:[~2016-04-09 11:38 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1460053967-65141-1-git-send-email-alex@alex.org.uk>
2016-04-07 19:50 ` [Qemu-devel] [PATCHv3] Improve documentation for TLS Eric Blake
2016-04-07 20:05 ` Alex Bligh
2016-04-09 10:11 ` [Qemu-devel] [Nbd] " Wouter Verhelst
2016-04-09 10:26 ` Alex Bligh
2016-04-09 10:38 ` Wouter Verhelst
2016-04-09 11:21 ` Alex Bligh
2016-04-09 11:38 ` Wouter Verhelst [this message]
2016-04-09 11:55 ` Alex Bligh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160409113811.GT19023@grep.be \
--to=w@uter.be \
--cc=alex@alex.org.uk \
--cc=berrange@redhat.com \
--cc=nbd-general@lists.sourceforge.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).