W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 19 Sep 2014 08:11:03 +0200
To: Roland Zink <roland@zinks.de>
Cc: ietf-http-wg@w3.org
Message-ID: <20140919061103.GC13993@1wt.eu>
On Wed, Sep 17, 2014 at 10:45:22AM +0200, Roland Zink wrote:
> So how are new ciphers added later? Does this require a new HTTP2 RFC, 
> or a new TLS RFC or do they need to be registered with IANA? What if one 
> of the now acceptable ciphers is no longer considered secure and should 
> be disabled?

Simple response : it will not be possible to upgrade them anymore because
servers will have to change their cipher suite and become suddenly
incompatible with already deployed browsers. Updating the spec does not
mean upgrading all implementations at once... And advertising a new ALPN
name will not mean that servers will be able to propose a different cipher
suite depending on what protocol version is selected.

> Doesn't this cipher selection belong into TLS and not h2?

Sure!

Willy
Received on Friday, 19 September 2014 06:11:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC