W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 27 Jan 2016 09:04:09 +1100
Message-ID: <CABkgnnVXvdLr7fh=Dc2HswE=hAmq30k2aXMvdi7u18=jj2iv9w@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thanks for the prompt feedback Ilari,

On 27 January 2016 at 08:38, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> - Needs to require EMS or TLS 1.3. Any use of TLS-EXPORTER for auth on
>   connections vulernable to THS is no-no.

Yes, absolutely.

> - What does "future streams associated with this request" mean exactly.
>   Covering a stream client did not intend to is no-no.

Context?

> - How does client revoke AUTOMATIC_USE on some certificate (or all
>   certificates) in sequentially consistent way? For the same reasons
>   as previous.

GOAWAY & close.  Note that you might be better off asking for the
removal of AUTOMATIC_USE if this is a concern you have.  Also note
that you are asking for a level of control that the server doesn't
get.

> - Why 1024 byte exporter output? That seems excessively large. 64
>   bytes is already 512 bits, which is high even if actual security
>   is cut in half somehow.

Hmm, yes, 64 bytes is plenty.

> - There are all sorts of crappy TLS HashAndSignatureAlgorithm values
>   that need forbidding, like DSA or ones using MD5 or SHA1.

Good point.  We should limit this to DSA with SHA1.
Received on Tuesday, 26 January 2016 22:04:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC