Re: How to handle HTTP/2 negotiation failure WRT TLS from Mark Nottingham on 2014-02-07 (ietf-http-wg@w3.org from January to March 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 7 Feb 2014 13:08:29 +1100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <903503C1-63CE-433C-BC83-69844F3010DD@mnot.net>

OK. Let's try to get some text into SC of -10, at least -- Martin, do you want to take a stab at it? 


On 6 Feb 2014, at 10:45 pm, Amos Jeffries <squid3@treenet.co.nz> wrote:

> On 5/02/2014 3:31 p.m., Mark Nottingham wrote:
>> What do people think about putting advisory text (not requirements) in Security Considerations?
>> 
> 
> I think prohibition of anything that makes it actually worse than
> HTTP/1.1 over TLS is reasonable.
> 
> Otherwise just considerations sounds good. With a particular callout on
> any possible security downgrades to HTTP/1.1 level of security.
> 
> Amos
> 
>> 
>> On 5 Feb 2014, at 12:34 pm, Rob Trace <Rob.Trace@microsoft.com> wrote:
>> 
>>> I am not sure this is such a no brainer.  We should not mandate implementation fallback behavior.  If an implementer would successfully negotiate HTTP 1.1 if HTTP/2 is failing, the implementer should decide how or when to fallback.  For example an implementer could decide that falling back to HTTP 1.1 and a different TLS profile is better than forcing a user to disable HTTP/2 to get to a given site.
>>> 
>>> -Rob
>>> 
>>> From: patrick.ducksong@gmail.com [mailto:patrick.ducksong@gmail.com] On Behalf Of Patrick McManus
>>> Sent: Monday, February 3, 2014 7:43 AM
>>> To: William Chan (陈智昌)
>>> Cc: Martin Thomson; Brian Smith; Michael Sweet; HTTP Working Group
>>> Subject: Re: How to handle HTTP/2 negotiation failure WRT TLS
>>> 
>>> 
>>> 
>>> 
>>> On Sat, Feb 1, 2014 at 4:42 PM, William Chan (陈智昌) <willchan@chromium.org> wrote:
>>> It's not clear to me what "this wasn't an issue" means. I'm guessing
>>> that means that what we have in the spec is OK and it's not necessary
>>> to discuss how to handle negotiation failure and just let
>>> implementations figure it out. That's fine by me.
>>> 
>>> I observe that as per
>>> http://dxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/Http2Session.cpp,
>>> Firefox appears to hard fail. And my inclination is to enforce the
>>> same policy in Chromium. This will affect other implementations that
>>> wish to interoperate with these browsers.
>>> 
>>> 
>>> This seems like a no brainer to me.
>>> 
>>> HTTP/2 is negotiated via ALPN. If the server selects HTTP/2 and also does something that is non-compliant with HTTP/2 that's a protocol error, not a negotiation error.
>>> 
>>> afaict, failing to use TLS 1.2 is an example that isn't really any different than sending a data frame > 14bits long. HTTP/2 has rules - if you can't follow them then run a different protocol, right?
>>> 
>>> 
>>> want me/Chromium to share half-baked thoughts on stuff, that's fine
>>> and I will stop sharing them. Sorry for the noise.
>>> 
>>> 
>>> phhhbt.
>>> 
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 7 February 2014 02:09:00 UTC