- From: Brian Smith <brian@briansmith.org>
- Date: Thu, 30 Jan 2014 11:31:09 -0800
- To: William Chan (陈智昌) <willchan@chromium.org>
- Cc: Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jan 30, 2014 at 9:41 AM, William Chan (陈智昌) <willchan@chromium.org> wrote: > I guess I'm advocating that a server must not select http/2 in alpn until > it's sure it supports the base TLS profile. And if the server fails to do so > correctly, the client hard fails. I do not believe we have backwards > compatibility issues since the h2 token is new. Clients only have an > opportunity to tighten requirements when introducing new alpn tokens. Any > attempt to do so with existing tokens will probably require fallback and > introduce a potential downgrade attack. I agree with you. I think it would be good if we implemented this hard-fail behavior before the next interop meeting. Then we will really find out if/how the TLS requirements are problematic. FWIW, this is now Mozilla bug 965922: https://bugzilla.mozilla.org/show_bug.cgi?id=965922. Cheers, Brian
Received on Thursday, 30 January 2014 19:31:37 UTC