Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt from Martin Thomson on 2016-01-27 (ietf-http-wg@w3.org from January to March 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Jan 2016 04:41:34 +1100
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnU1qubvnAzfQS+pbzVi7nVANK+sgyKbGEpV2t83X8TZMw@mail.gmail.com>

On 27 January 2016 at 19:47, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> Basically, I favor dropping insecure or excessively weak algorithms
> from new specifications or versions, even at severe cost to deploy-
> ability. We have gotten burned *far* too many times from not doing that,
> and *will* get burned in future if we continue allowing those.

I'm always happy to use support for a new feature as a signal that
it's safe to ratchet the security knob one step further.  Let's just
make sure that we have good justification.  EMS and reduced signature
algorithms is a fine suggestion here because they have a material
impact on the properties we are looking to gain.

If you want to suggest anything else, I'm open to it, but I think we
need at least a little justification.

Received on Wednesday, 27 January 2016 17:42:03 UTC