- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Thu, 13 Nov 2014 19:31:00 -0700
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Eric Rescorla <ekr@rtfm.com>, Greg Wilkins <gregw@intalio.com>, Ryan Hamilton <rch@google.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
"Roy T. Fielding" <fielding@gbiv.com> wrote: > > > > > Well, it certainly send INADEQUATE_SECURITY, but I think that that > > MAY is primarily about the client. The bottom line here is that if > > a server selects h2 and a BAD cipher suite, it is exposing itself > > to undefined behavior from the client in the form of the client > > terminating the connection with INADEQUATE_SECURITY. > > Yes, though I don't see why that would be considered exposing itself. > Neither do I. But, we didn't see why anything else that's been exploited would be considered exposure, either. Which is why I'm against protocol chatter offering hints about what's secure and what isn't. Call it a gut feeling. Aside from the practical notion that specifics about TLS handshaking seem out-of-scope re: HTTP. -Eric
Received on Friday, 14 November 2014 02:32:01 UTC