Re: Updated 9.2 from Brian Smith on 2014-10-10 (ietf-http-wg@w3.org from October to December 2014)

From: Brian Smith <brian@briansmith.org>
Date: Fri, 10 Oct 2014 11:57:00 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Greg Wilkins <gregw@intalio.com>
Message-ID: <CAFewVt5MU8tkG2=6aq_kkMTxQL4DreHZ4KmsMF5zTKstWsy2-A@mail.gmail.com>

On Fri, Oct 10, 2014 at 10:41 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
>  - All of the TLS usage restrictions only apply to TLS 1.2 (TLS 1.3
> won't permit all these things anyway), except the SNI requirement

I feel all these qualifiers of "TLS 1.2" are confusing because they
imply that the rules will be different for other versions of TLS. But,
older versions of TLS are not allowed and TLS 1.3 will have the same
rules anyway, so the "1.2" qualifiers seem unnecessary.

>  - Added explicit permission to fall back to HTTP/1.1
>    -- There is a risk of a modest form of downgrade attack here that
> I've identified

First of all, anything not forbidden is allowed already, so I don't
think that this needs to be explicitly stated even if it is allowed.
More importantly, I do not think that the HTTP/2 specification should
be endorsing this behavior--not only due to the increased risk of
downgrade attacks and increased complexity required to prevent them,
but also because this mechanism encourages implementations to do
things that are counterproductive to efficiency and performance (i.e.
counter to the whole reason for HTTP/2 to exist). Finally, if it isn't
a SHOULD or MUST level requirement then it doesn't promote improved
interoperability; in fact, I would say it decreases interoperability
because some servers might expect/require clients to actually do that
fallback, but many (AFAICT) won't.

>  - Added a recommendation to order cipher suites with preferred ones first
>
>  - Prohibited the advertisement or selection of cipher suites that are
> not known to conform to the cipher suite restrictions
>
>  - Reduced the ECDHE security level to 112

See my other message about the change to the 112 bit security level. I
suggested a better (IMO) alternative.

I also think that you should add a requirement that the client not
advertise HTTP/2 in its ALPN extension if ClientHello.client_version
is less than TLS 1.2. This would avoid the TLS version requirements
from being an interop issue at all.

Cheers,
Brian

Received on Friday, 10 October 2014 18:57:27 UTC