Re: #612: 9.2.2 and ALPN from Roy T. Fielding on 2014-11-13 (ietf-http-wg@w3.org from October to December 2014)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 12 Nov 2014 22:32:48 -1000
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <A6B37F02-34E0-4EE7-89B4-84667E608418@gbiv.com>

On Nov 12, 2014, at 9:56 PM, Yoav Nir wrote:
> Much as I agree with you about section 9.2.2 and the behavior that it prescribes being inappropriate for this document, the working group has considered this argument months ago, and then again weeks ago and rejected it.

No, it didn't.  The part of the working group that actually implements
servers for use by others agrees with me.  The chair and the IESG
do not.  The compromise that Mark posted is "good enough" because it
simply presents the likely interop failure that Ekr described, instead
of requiring that an h2 server do something about it.

Unfortunately, this is a case where the spec will end up saying
some things that are simply ignored by implementations, since it isn't
the HTTP server's responsibility to override or even second-guess the
TLS configuration. In most cases it won't matter, since the same
servers willing to deploy h2 are the ones most likely to have admins
that prefer stronger ciphersuites.

> What’s more, I don’t think anyone has argued that TLS_RSA_WITH_AES_128_CBC_SHA is insecure when used with TLS 1.2. It is a fine, secure ciphersuite. Nevertheless, the CBC construction has in the past been a source of vulnerabilities, all of which could be worked around, but which required changes to deployed products. GCM-based ciphersuites are faster and AEAD constructions are considered to have more robust security. That is not to say that TLS_RSA_WITH_AES_128_GCM is more secure than TLS_RSA_WITH_AES_128_CBC_SHA, just that we believe the likelihood of the next BEAST, LUCKY13 or POODLE happening in the latter is much greater than the likelihood of it happening in the former. For this reason the working group has decided that the new protocol HTTP/2 will use only AEAD ciphersuites.

That isn't something the WG can decide for others.  Admins might follow
that recommendation, but it is far outside the scope of HTTP.

> Would you object less if the error code was named INAPPROPRIATE_SECURITY rather than INADEQUATE_SECURITY ?

It doesn't matter -- the connection is irrelevant as soon as it is closed.

....Roy

Received on Thursday, 13 November 2014 08:33:04 UTC