- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 21 Nov 2014 12:47:03 +1100
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: HTTP <ietf-http-wg@w3.org>
Hi Mike, > On 18 Nov 2014, at 7:09 pm, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > > I continue to object to the idea that HTTP/2 "MUST NOT" use the ciphers on the list, for the reasons that we, Roy, and others have outlined. > >> SHOULD NOT >> This phrase, or the phrase "NOT RECOMMENDED" mean that >> there may exist valid reasons in particular circumstances when the >> particular behavior is acceptable or even useful, but the full >> implications should be understood and the case carefully weighed >> before implementing any behavior described with this label. > > The definition from 2119 reads exactly like cipher suite selection -- there may be valid reasons to use (some of) these cipher suites, but you do need to think carefully before making that choice because it's certainly not universal. Peers who see one of these suites SHOULD send INADEQUATE_SECURITY -- the corollary to that is that these cipher suites SHOULD NOT be used. Otherwise, we're veering into RFC 6919. > > However, the gist of the pull request reflects my understanding of the room's compromise from HNL, yes. If the WG as a whole wants to move forward with the MUST NOT, I'm willing to be in the rough here. Close enough. I do remember a discussion along these lines, but don't see anything in the minutes reflecting that, so it could have been a hallway chat after the meeting. IIRC making this change wasn't controversial there (but of course that's just the hallway). What do people thing about changing this text: """ A deployment of HTTP/2 over TLS 1.2 MUST NOT use any of the cipher suites that are only be used with cipher suites that are listed in <xref target="BadCipherSuites"/> """ to a SHOULD NOT? Regards, -- Mark Nottingham https://www.mnot.net/
Received on Friday, 21 November 2014 01:47:30 UTC