- From: Yoav Nir <ynir.ietf@gmail.com>
- Date: Tue, 18 Nov 2014 10:36:58 +0200
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP <ietf-http-wg@w3.org>
> On Nov 18, 2014, at 10:09 AM, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > > I continue to object to the idea that HTTP/2 "MUST NOT" use the ciphers on the list, for the reasons that we, Roy, and others have outlined. > >> SHOULD NOT >> This phrase, or the phrase "NOT RECOMMENDED" mean that >> there may exist valid reasons in particular circumstances when the >> particular behavior is acceptable or even useful, but the full >> implications should be understood and the case carefully weighed >> before implementing any behavior described with this label. > > The definition from 2119 reads exactly like cipher suite selection -- there may be valid reasons to use (some of) these cipher suites, but you do need to think carefully before making that choice because it's certainly not universal. Peers who see one of these suites SHOULD send INADEQUATE_SECURITY -- the corollary to that is that these cipher suites SHOULD NOT be used. I thought that we had decided that clients seeing these MAY send INADEQUATE_SECURITY. Regardless, unlike MAY and MUST, you can’t just use “SHOULD” and “SHOULD NOT” in a document. They require an explanation of why you should not, and under what circumstances your are allowed to do that something that your should not do. So, if we agree with you, we need to complete the sentence, “HTTP/2.0 clients and server SHOULD NOT use ciphers from this list unless …” And I don’t think we’ll have consensus on “… the administrator really really wants to”. We might get one on “… the implementation cannot control or determine the ciphersuite used by TLS”, but I don’t think we will. Yoav
Received on Tuesday, 18 November 2014 08:37:27 UTC