W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Stricter TLS Usage in HTTP/2

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 3 Jun 2014 15:17:11 -0700
Message-ID: <CABkgnnWy2uWwvq9AzkRhW_YLonaGW1+d2d=O7wKPGq8PTOWZ0w@mail.gmail.com>
To: William Chan (陈智昌) <willchan@chromium.org>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Adam Langley <agl@google.com>
On 22 May 2014 12:58, William Chan (陈智昌) <willchan@chromium.org> wrote:

> agl@ thought it'd be nice if we could change the spec to reflect
> Chromium's stricter stance here (
> https://codereview.chromium.org/291093002/#msg14). Is this controversial?
> Can we change the spec's guidance here to be more strict?

I've opened https://github.com/http2/http2-spec/issues/491 to track this.
The feedback I've gotten from Mozilla folks is that this would be
acceptable to them, though unilateral action from Chrome is not.

The suites we most need to talk about are those that include RC4, 3DES and
AES CBC modes.

Looking at the registry we could simply decide to forbid anything but AEAD
modes, which excludes the suites that use the following constructs: NULL,
RC2, DES, IDEA, DES40, SEED, MD5 (which is used with RC4), and some ARIA
and CAMELLIA modes.  I suspect that the loss of many of these will not be
too hard on folks.
Received on Tuesday, 3 June 2014 22:17:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC