Re: #612: 9.2.2 requirements from Patrick McManus on 2014-10-28 (ietf-http-wg@w3.org from October to December 2014)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 27 Oct 2014 21:39:23 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNoRz1Z_do2Ss4N29JvSGfWMqxq1-i30HN0NPzuJCyST6A@mail.gmail.com>

On Mon, Oct 27, 2014 at 4:54 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Thoughts?


poodle is direct evidence that algorithms that are necessary for interop
simply don't get deprecated in the field even when they are superceded..
Requiring current best practices at least makes a clean break for h2 which
doesn't have the interop baggage. Half measures are an un-necessarily weak
effort.

This is exacerbated by the previous decision to move from NPN to ALPN - a
client interested in restricting h2 to newer security suites can no longer
effectively do so as the server is allowed to choose old (perhaps h1
suitable suites) along with h2. That problem would not be symmetrical for a
server with NPN wishing to enforce a higher level of security as it still
selects the cipher suite. Brian provided convincing reasoning previously on
why a peer would want to do so.

we can do better.

Received on Tuesday, 28 October 2014 01:39:46 UTC