<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 5/26/2023 12:47 PM, Michael Wojcik
via openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DM6PR18MB2700ADE04BC3CF652DC03720F9479@DM6PR18MB2700.namprd18.prod.outlook.com">I'm
sure people can make reasonable arguments for presenting a
combined list to end users, and then programmatically separating
that into the two collections.<br>
</blockquote>
<br>
My hope would be that we wouldn't *need* to separate them, that we
could just have one list. But maybe I'm spending more effort
attempting to achieve that simplification than it's worth.<br>
<br>
Mostly I am not *too* concerned about usability here. I regard this
as an escape hatch. 98% of the time the defaults we supply will be
fine. 1% of the time it will be necessary to loosen them for
interoperability with older equipment. 1% of the time it will be
necessary to tighten them to disallow some compromised algorithm, or
for some policy reason. These are not personal preference items
where users can be expected to select random combinations and expect
them to work - my only goal there is that selecting a bad
combination must not fail stupidly.<br>
<br>
Other than intellectual curiosity as to why a single unified list is
a bad idea, I think I've gotten the answer I needed: the fact that
the "ciphersuites" functions accept and process TLS 1.2 ciphers is
an accident that we should not rely on.<br>
<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle</pre>
</body>
</html>