X-Git-Url: https://git.bettercrypto.org/ach-master.git/blobdiff_plain/f53409d84d594c5f0774e371b65b3f1c5e10bbee..d39eb220167bd80ede7d25fe8da531923d3138f1:/TODO.txt diff --git a/TODO.txt b/TODO.txt index 4bfa0b1..40732ec 100644 --- a/TODO.txt +++ b/TODO.txt @@ -2,14 +2,164 @@ Website ======== +BIG TOPICS +========== +* write a Justification section to every setting, maybe have that later in the document. + +* move the explanations to a later part of the document. Code snippets go *first* . The target group is sysadmins, must be easily copy & paste-able. Or find a different way so that they can easily use/read the document + +* Write section 7.3 (-> Adi . How to chose your own cipher string + screenshots) + +* Decide/Discuss recommended ciphers: + - AES/CAMELLIA/ARIA20/... + - 256bit vs 128bit (security margin, ordering in recommended ciphers) + - DH parameters: what is our recommendation? >2048? >=2048? leave default (aka 1024)? + Formatting ========== -* one-column layout: make page margins smaller +DONE * one-column layout: make page margins smaller +DONE * add large "DRAFT" letters on top of every page. + make the git version number part of the document +* Layout of sample code (lstisting format) : make it pretty! + +* make every section like the Apache section + +Workflow +======== + +* how to keep things up to date? +* how to automatically test compatibility? +* how to make sure that this document has the latest information on cipher strengths? + Contents ======== -* Test all settings +* scan our local region of the internet for https/smtp/imaps/pop3s + +* Common Pitfalls: + - key generation + - key management , key life cycle + - cloning of VMs + - common / default passphrases +* DH parameter? +* Further research + - mysql, SMB, +* Wish List for software vendors? +* sweet spot, wo koennen wir was sinnvoll machen, was waere zu viel (8192 bit keys...) + + +1. document the abstract needs that we have for the cipher settings (HSTS etc) + Then find the best cipher setting strings per se + Only then put it to all servers and keep it rather uniformely (as much as possible) + +2. Test all settings + * Test with more clients and other OSes than OSX / iPhone!! +--> clients? + - thunderbird + - Apple Mail? + - Outlook * + - Playstation und XBox? --> LATER! + - Lotus Notes + - Blackberry* + - Windows Phone 7 ??? + How to Test? + - chapter owner makes a test setup + - tested by: XXX , on: $date. Screenshot of SSLlabs/ $testtool. (checktls.com) + * document (cite) EVERYTHING! Why we chose certain values. Referneces, references, references. Otherwise it does not count! Srsly!! -* .bib file is completely wrong. Make good citations/references. +* .bib file is completely wrong. Make good citations/references. Add books: Schneier, ... +* !! important: add the version string to everything that we tested!! + +* two target groups: + - security specialists / freaks who want the very best settings + - should as many clients work with the settings as possible +* look at TLS1.2 specs and really check if we want all of these settings + + +Section 6 +---------- +Definitely still missing these subsubsections: +* Exchange Server ?? (--> bei M$ angefragt, Evtl. Beitrag von A-Trust) + - SMTP, POP, IMAP +DONE * Exim4 (-> Adi & Wolfgang Breya) +* Checkpoint (-> cm) +* Asa / Palo Alto (-> Azet) +* Terminal Server (VNC ), ?? +* Squid +* XMPP + --> verweise auf die xmpp community bzw. auf xmpp.net verweisen. + Empfehlung: unbedingt ejabberd updaten!! + + +----- snip ---- all protocols that we looked at --- snip ---- +* whatsapp --> man kann nichts machen, out of scope +* Lync: == SIP von M$. +* Skype: man kann ncihts machen, out of scope. +* Wi-Fi APs, 802.1X, ... ???? --> out of scope +* Tomcats/...???? +* VPNs ??? + * PPTP + * Cisco IPSec + * Juniper VPN + * L2TP over IPSec -> egal +* SIP -> Klaus??? +* SRTP -> Klaus??? +* DNSSec ?? Verweis auf BCPxxx --> out of scope + - DANE +What happens at the IETF at the moment? +* TOR?? --> out of scope +* S/Mime --> nachsehen, gibt es BCPs? (--> Ramin) +* TrueCrypt, LUKS, FileVault, etc ---> out of scope +* AFS -> out of scope +* Kerberos --> out of scope +* NNTP -> out of scope +* NTPs tlsdate -> out of scope +* BGP / OSPF --> out of scope +* irc,silc --> out of scope +!! * IPMI/ILO/RAC: Java --> important. Empfehlung: nie ins Internet, nur in ein eigenes mgmt VLAN, das via VPN erreichbar ist!! +* LDAP -> out of scope +* RADIUS? -> maybe later... +* Moxa , APC, und co... ICS . Ethernet to serial --> out of scope +* telnet -> DON't!!! +* rsyslog --> out of scope +* ARP bei v6 spoofing -> out of scope +* tinc?? -> out of scope +* rsync -> nur ueber ssh fahren ausser public web mirrors +* telnets -> out of scope +* ftps -> out of scope +!! * seclayer-tcp --> review von Posch & co. +seclayer-tcp 3495/udp # securitylayer over tcp +seclayer-tcp 3495/tcp # securitylayer over tcp +* webmin -> maybe +* plesk -> out of scope +* phpmyadmin --> haengt am apache, out of scope +* DSL modems -> out of scope +* UPnP, natPmp --> out of scope +----- snip ---- all protocols that we looked at --- snip ---- + + + + + + +RNDG section +------------ +- add two, three sentences +- mention HaveGED +- embedded devices are a problem + + + +Contacting / who? +================= +* Juniper +* Cisco +* Leithold + + +LATER / further +================ +* OpenLDAP (-> Adi) +* Windows Active Directory