Talk:Security/Server Side TLS: Difference between revisions

A key part of the merit question for me depends on the primary purpose of the page: is it primarily a guide for TLS configuration of Mozilla sites (for the Ops teams that run them), with its value for non-Mozilla staff more incidental due to the public nature of Mozilla, or is the providing of quality guidance on TLS configurations for any and all also a primary goal? If the latter, IIS seems worthwhile, if the former, much less so unless Mozilla starts using IIS servers at some point. As for maintaining it, I'd be happy to volunteer, but only on a best-effort basis. That being said, updates should be relatively infrequent as IIS features are largely pinned to Windows releases. So guidance would typically change in response to either new IIS versions introducing new security features or new TLS attacks resulting in recommended changes to mitigate (as in the case of BEAST, CRIME, etc...).

The value of this page outside of Mozilla is not incidental: it was written with the goal to be publicly available. The SSL/TLS rationale is generic and can be applied to any daemon on any system. The configuration samples section, however, is targeted to Ops teams within Mozilla corporation and community. Maintaining these configuration samples is time consuming, and we (OpSec) want to stay focused on what our Ops need to preserve resources. But it is a public resource and we will always welcome contributions from inside and outside of Mozilla. Add IIS if you think it is valuable, and I'm sure people will help maintaining it.