W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Discussion of 9.2.2

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 26 Sep 2014 09:03:46 +0200
Message-ID: <54250FD2.6040801@gmx.de>
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-09-24 13:17, Mark Nottingham wrote:
> ...
> My personal observations (no chair hat):
>
> AIUI, the crux of the purported problem is when a new cipher suite X is introduced, and a client offers it. If the server supports that cipher suite but the HTTP/2 implementation has not decided that it is conformant to these requirements, INADEQUATE_SECURITY will be thrown.
>
> It seems to me that a few editorial changes would help here.
>
> a) Explicitly note that INADEQUATE_SECURITY is thrown in 9.2.2 (it’s implied by 9.2 but let’s be explicit). This should happen regardless.
> b) Change the start of #2 above to “HTTP/2”. This should happen regardless.
> c) Change #2 above to “HTTP/2 MUST NOT be used with cipher suites that are known to be stream or block ciphers.” This emphasises that it’s a blacklist, not a whitelist, and avoids throwing INADEQUATE_SECURITY when encountering a cipher suite with unknown properties.
>
> Regards,
> ...

Can we add a d), as suggested by yourself:

d) Constrain the http/2-on-tls constraints on ciper suites to TLS 1.2 only

(I didn't see any negative feedback on that idea)

Best regards, Julian
Received on Friday, 26 September 2014 07:04:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC