W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Jason Greene <jason.greene@redhat.com>
Date: Mon, 22 Sep 2014 11:41:22 -0500
Cc: Greg Wilkins <gregw@intalio.com>, Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D7B49F55-663F-4005-AD06-7E4057491608@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>

On Sep 22, 2014, at 11:18 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> 
> I don't actually think this is that important an issue either. As I understood the discussion
> in Zurich, the new TLS limitations were directed towards pulling users of HTTP2 towards
> modern algorithms. However, algorithms which have serious weaknesses should probably
> be deprecated in all versions of HTTP (as with https://tools.ietf.org/html/draft-ietf-tls-prohibiting-rc4-00).
> 
> Say we decided that in future we preferred Aero (https://tools.ietf.org/html/draft-mcgrew-aero-01)
> to AEAD constructions. That seems like something we could roll out in HTTP3 but wouldn't
> be appropriate to retroactively apply to TLS 1.2 unless there was something seriously wrong
> with AEAD (and then see above).

I think this hypothetical actually counters your point. Every rev of the HTTP spec introduces interop cost, therefore having to rev the protocol just because TLS needs to rev is unnecessary cost. 

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
Received on Monday, 22 September 2014 16:41:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC