W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Ciphersuite requirements ext#26

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 20 Aug 2014 09:59:13 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <FC74AEF6-1FE4-42D2-AE40-6628872568C1@mnot.net>
To: Martin Thomson <martin.thomson@gmail.com>
So, are we saying that oppsec defers to the specific protocol negotiated for any ciphersuite requirements (e.g., h2 has a very specific high bar, while http/1.1-over-tls has none)?

Cheers,


On 20 Aug 2014, at 4:23 am, Martin Thomson <martin.thomson@gmail.com> wrote:

>> From the issue (https://github.com/httpwg/http-extensions/issues/26):
> 
> Section 3 implies that there are no cipher suite requirements on Opp
> Sec, but it'd be good to discuss and formalise this. May require
> tweaks to HTTP/2 (which places requirements on use of TLS, not TLS
> with "https").
> 
> --
> 
> PHK will disagree, but I think that we're OK here. Better to have a
> single robust profile than to permit exceptions. There are several
> problems with exceptions or variations:
> 
> * oppsec will be detectable as such to a passive observer
> 
> * a single configurations is more robust; better to use a single code
> path and far better not to risk weakening "https" accidentally
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 19 August 2014 23:59:41 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC