W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Stuart Douglas <stuart.w.douglas@gmail.com>
Date: Wed, 24 Sep 2014 19:42:34 +1000
Message-ID: <5422920A.4040508@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Simone Bordet <simone.bordet@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Roland Zink <roland@zinks.de>, HTTP Working Group <ietf-http-wg@w3.org>


Martin Thomson wrote:
> On 24 September 2014 02:08, Simone Bordet<simone.bordet@gmail.com>  wrote:
>> Old h2 clients that are dynamically linked to a new TLS implementation
>> will have X but not know that is acceptable.
>
> Implementations shouldn't be enabling cipher suites that they don't understand.
>

I think that this is really not the implementations concern, it should 
be up the admin and the TLS implementation. IMHO H2 implementors should 
be free to just implement the protocol, deciding on the TLS cyphers that 
should be used is up to the admins and the TLS implementation. 
Effectively banning people from using HTTP2 because they are using the 
wrong TLS implementation just seems punitive, and will hamper adoption.

I think that for the most part the people that will be implementing and 
adopting h2 are not the people using ancient insecure cyphers. I also 
think that this clause will do more to hinder the adoption of H2 than it 
will to foster the adoption of stronger cyphers.

Stuart
Received on Wednesday, 24 September 2014 09:43:04 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC