RE: Stricter TLS Usage in HTTP/2

Hi Martin,

Disabling/removing obsolete TLS versions and weak cipher suites, when possible, is a good idea. UTA maintains a TLS BCP aiming to provide reasonably current recommendations for secure use of TLS: http://tools.ietf.org/html/draft-ietf-uta-tls-bcp-00. These recommendations are meant to change over time, so in my opinion it is best for application protocol specs to reference the TLS BCP, rather than duplicate snapshots of BCP recommendations or turn them into requirements.

Unless of course it can be shown that e.g. HTTP/2 is more vulnerable than other application protocols, when used over TLS with e.g. a CBC cipher suite, and therefore requires stricter TLS usage.

Regarding the availability of the AEAD ciphers in schannel, [1] does not include recent updates:
http://support.microsoft.com/kb/2929781/en-us#appliesto

Basically, schannel supports GCM cipher suites with ECDSA and RSA certs.

Cheers,

Andrei

From: Martin Thomson [mailto:martin.thomson@gmail.com]
Sent: Thursday, May 22, 2014 1:22 PM
To: William Chan (陈智昌)
Cc: HTTP Working Group; Adam Langley; Andrei Popov
Subject: Re: Stricter TLS Usage in HTTP/2


On 22 May 2014 12:58, William Chan (陈智昌) <willchan@chromium.org<mailto:willchan@chromium.org>> wrote:
agl@ thought it'd be nice if we could change the spec [to be AEAD only]. Is this controversial? Can we change the spec's guidance here to be more strict?

Andrei, can you comment on the availability of AEAD ciphers in schannel?  [1] shows them as only being available with ECDSA certificates.

One data point that might be relevant to this discussion is that TLS 1.3 *only* supports AEAD modes.  But this proposal seems to go a little further than that by selecting a very narrow set of acceptable suites.
--Martin

[1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx