Re: How to handle HTTP/2 negotiation failure WRT TLS from 陈智昌 on 2014-02-05 (ietf-http-wg@w3.org from January to March 2014)

From: 陈智昌 <willchan@chromium.org>
Date: Wed, 5 Feb 2014 15:51:45 -0800
To: Paul Hoffman <paul.hoffman@gmail.com>
Cc: Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYg-LU=35SL1ndOvKOrocKsuQ-GTeA1Mn6vxgXVHcJ+EmQ@mail.gmail.com>

Paul, just a few things here:
* I misunderstood you earlier. I thought you were talking about
negotiation failure in general, not just specifically the ciphersuite
requirement.
* I hope that explains why I think you should fork the discussion. I
hope you don't think I'm actually being disingenuous. I think we can
separately treat the discussion of what MUST cause negotiation
failure, and how to handle mandatory negotiation failure. IIUC, you
are advocating that the ciphersuite requirement not be mandatory
because two mutually consenting adults can agree to engage in sketchy
behavior together.

Cheers.

On Sat, Feb 1, 2014 at 8:18 PM, Paul Hoffman <paul.hoffman@gmail.com> wrote:
> On Sat, Feb 1, 2014 at 9:52 AM, William Chan (陈智昌) <willchan@chromium.org>
> wrote:
>>
>> Paul, I'm not sure if I grok your response. Are you replying to my
>> question of how to handle negotiation failure, or to the base spec
>> mandating negotiation failure based on certain TLS properties
>> (extensions, ciphersuites, etc)?
>
>
> Both: your question (assertion, really) about handling negotiation failure
> is predicated on particular types of failures, and the question of what to
> do with an extension failure is quite different than the question of what to
> do when two parties can agree to strong crypto that happens not to meet the
> requirement in the spec.
>
>>
>> Note that the base spec's requirement
>> is already in there:  https://github.com/http2/http2-spec/issues/318 &
>> http://http2.github.io/http2-spec/#TLSUsage. I was not discussing that
>> requirement, but rather discussing what to do when the negotiation
>> fails.
>
>
> So, you are discussing the requirement. If that requirement didn't exist,
> you would still (quite properly) be discussing what to do when there are
> extension failures.
>
>>
>> If you disagree with mandating negotiation failure based on
>> certain TLS properties, maybe fork this thread so others don't get
>> confused?
>
>
>  This feels a bit disingenuous. Your question was how to downgrade under
> cases A, B, and C, with the strong implication that it would be the same for
> all three cases. I pointed out that one case should be treated differently
> because it makes HTTP/2 establishment unnecessarily brittle even when both
> parties agree to secure ciphersuites.

Received on Wednesday, 5 February 2014 23:52:12 UTC