On 22 May 2014 12:58, William Chan (陈智昌) <willchan@chromium.org> wrote: > agl@ thought it'd be nice if we could change the spec to reflect > Chromium's stricter stance here ( > https://codereview.chromium.org/291093002/#msg14). Is this controversial? > Can we change the spec's guidance here to be more strict? > I've opened https://github.com/http2/http2-spec/issues/491 to track this. The feedback I've gotten from Mozilla folks is that this would be acceptable to them, though unilateral action from Chrome is not. The suites we most need to talk about are those that include RC4, 3DES and AES CBC modes. Looking at the registry we could simply decide to forbid anything but AEAD modes, which excludes the suites that use the following constructs: NULL, RC2, DES, IDEA, DES40, SEED, MD5 (which is used with RC4), and some ARIA and CAMELLIA modes. I suspect that the loss of many of these will not be too hard on folks.
Received on Tuesday, 3 June 2014 22:17:39 UTC