W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: FW: New Version Notification for draft-thomson-http2-client-certs-01.txt

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 28 Jan 2016 04:41:34 +1100
Message-ID: <CABkgnnU1qubvnAzfQS+pbzVi7nVANK+sgyKbGEpV2t83X8TZMw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 27 January 2016 at 19:47, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> Basically, I favor dropping insecure or excessively weak algorithms
> from new specifications or versions, even at severe cost to deploy-
> ability. We have gotten burned *far* too many times from not doing that,
> and *will* get burned in future if we continue allowing those.

I'm always happy to use support for a new feature as a signal that
it's safe to ratchet the security knob one step further.  Let's just
make sure that we have good justification.  EMS and reduced signature
algorithms is a fine suggestion here because they have a material
impact on the properties we are looking to gain.

If you want to suggest anything else, I'm open to it, but I think we
need at least a little justification.
Received on Wednesday, 27 January 2016 17:42:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC