- From: Stuart Douglas <stuart.w.douglas@gmail.com>
- Date: Wed, 24 Sep 2014 19:42:34 +1000
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Simone Bordet <simone.bordet@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Roland Zink <roland@zinks.de>, HTTP Working Group <ietf-http-wg@w3.org>
Martin Thomson wrote: > On 24 September 2014 02:08, Simone Bordet<simone.bordet@gmail.com> wrote: >> Old h2 clients that are dynamically linked to a new TLS implementation >> will have X but not know that is acceptable. > > Implementations shouldn't be enabling cipher suites that they don't understand. > I think that this is really not the implementations concern, it should be up the admin and the TLS implementation. IMHO H2 implementors should be free to just implement the protocol, deciding on the TLS cyphers that should be used is up to the admins and the TLS implementation. Effectively banning people from using HTTP2 because they are using the wrong TLS implementation just seems punitive, and will hamper adoption. I think that for the most part the people that will be implementing and adopting h2 are not the people using ancient insecure cyphers. I also think that this clause will do more to hinder the adoption of H2 than it will to foster the adoption of stronger cyphers. Stuart
Received on Wednesday, 24 September 2014 09:43:04 UTC