- From: Greg Wilkins <gregw@intalio.com>
- Date: Mon, 6 Oct 2014 15:37:01 +1100
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 6 October 2014 04:37:29 UTC
On 6 October 2014 10:45, Mark Nottingham <mnot@mnot.net> wrote: > > That’s by design. Nothing stops someone from explicitly configuring a pair > of endpoints to violate the protocol for testing purposes: There is something stopping that. We have a fragile handshake that will definitely break if 9.2.2 is implemented by configuration. 9.2.2 is hard coded in FF and the discussion here has been very much that implementations should check cipher properties. So there is no "Configuring" of 9.2.2 non-compliance, you might configure in a null/weak cipher, but the hard coded isAEAD() will reject it for h2 purposes. You cannot simultaneously argue that deployers can configure their endpoints however they like for their special needs AND that the fragile handshake will never break because there will never be differing interpretations of 9.2.2 So I remain in the can't live with it camp for 9.2.2. I cannot live with a deliberately fragile and inflexible design. Jetty will not be implementing this (not that we have the option as the APIs do not exist for us to do so). regards -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Monday, 6 October 2014 04:37:29 UTC