Re: null ciphers in 9.2.2 from Greg Wilkins on 2014-10-07 (ietf-http-wg@w3.org from October to December 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 8 Oct 2014 09:50:58 +1100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NHM3F9+ccT6QXTG6AY=0_wuqrmGiC-2VpHM+RadfZhUAw@mail.gmail.com>

On 8 October 2014 09:37, Martin Thomson <martin.thomson@gmail.com> wrote:

> The switches exist only for private deployments.
>

Can guarantee that no such private standards overrides have ever been
deployed publicly?  Or even become the new norm?  RFC2616 had a 2
connection limit, but circumstances made browser first optionally breach
that and then eventually it became the new norm?     We cannot predict the
future and we cannot say that 9.2.2 breaches may not eventually be widely
deployed.

Rather than saying the fragile handshake will not be a problem because you
know what the future will hold, why not just fix the fragile handshake?

What is the down side of fixing the handshake?

-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Tuesday, 7 October 2014 22:51:25 UTC