Re: Requiring TLS 1.3 as alternative to HTTP/2 section 9.2.2

I’ve asked the TLS WG chairs of their estimate of when 1.3 will LC, and the answer was that they’re hoping to WGLC around Dallas, but that may be “too aggressive.” 

My perception is that there isn’t yet a lot of confidence about that date.

Regards,


> On 27 Oct 2014, at 6:42 pm, Dave Garrett <davemgarrett@gmail.com> wrote:
> 
> It looks like HTTP/2 section 9.2.2 is on the chopping block, with little push-back thus far, so I'm going to ask the obvious question: what's going to replace it?
> 
> Attempting to enforce cipher requirements here is problematic, however removing these requirements will also add its own interoperability problems. If a server were to follow the spec without these requirements, then a browser that already implements them will reject the connection. Unless everyone is also going to pledge to remove already implemented security checks, this will be an issue. Without 9.2.2, even RC4 is valid for HTTP/2 traffic, which seems like something implementors would fight against introducing.
> 
> There were a few people that suggested simply waiting for TLS 1.3 and requiring that instead of TLS 1.2 plus a series of hacks. Is it possible to fast-track TLS 1.3 from its current draft to standardization for HTTP/2, and move further TLS development to 1.4? This is the simplest solution and obsoletes almost all of section 9.2, not just 9.2.2.
> 
> I guess the real question is: can two working groups work together here?
> 
> 
> 
> -- Dave
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Tuesday, 28 October 2014 17:08:25 UTC