W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Tue, 26 Jan 2016 23:38:13 +0200
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20160126213813.GA5528@LK-Perkele-V2.elisa-laajakaista.fi>
On Tue, Jan 26, 2016 at 08:23:00PM +0000, Mike Bishop wrote:
> Based on feedback from this WG in Yokohama and on-list feedback from
> the TLS WG, Martin and I have a new (largely rewritten) version of
> the client cert draft.  As I promised Mark, people will hate it, but
> they will at least hate it in different ways than the previous version!

Some quick comments (some less sensible, some more sensible):

- Needs to require EMS or TLS 1.3. Any use of TLS-EXPORTER for auth on
  connections vulernable to THS is no-no.
- What does "future streams associated with this request" mean exactly.
  Covering a stream client did not intend to is no-no.
- How does client revoke AUTOMATIC_USE on some certificate (or all
  certificates) in sequentially consistent way? For the same reasons
  as previous.
- Why 1024 byte exporter output? That seems excessively large. 64
  bytes is already 512 bits, which is high even if actual security
  is cut in half somehow.
- There are all sorts of crappy TLS HashAndSignatureAlgorithm values
  that need forbidding, like DSA or ones using MD5 or SHA1.


-Ilari
Received on Tuesday, 26 January 2016 21:38:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC