- From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
- Date: Wed, 4 Jun 2014 15:42:58 +0000
- To: Patrick McManus <mcmanus@ducksong.com>, Yoav Nir <ynir.ietf@gmail.com>
- CC: Martin Thomson <martin.thomson@gmail.com>, William Chan (ιζΊζ) <willchan@chromium.org>, "HTTP Working Group" <ietf-http-wg@w3.org>, Adam Langley <agl@google.com>
From: patrick.ducksong@gmail.com [mailto:patrick.ducksong@gmail.com] On Behalf Of Patrick McManus > making the chosen ciphersuite depend on the version of HTTP selected is already a requirement of HTTP2. The proposal here is about a change to that criteria. Section 9.2 Do we want to revisit that? Personally, I feel that mandating stronger cipher suites makes a lot of sense but there're a couple of caveats: - I'm not sure how this plays with opportunistic TLS - I think we need to be stronger on the use of ALPN. Maybe "Implementations of HTTP/2 MUST support ALPN on all TLS connections" under 9.2? There's a server requirement under 3.4 but unless I'm mistaken no hard requirement on the client. - I'd like to hear from someone who deals with offloaded or off-box decryption of TLS as to how this will play out for them. Richard
Received on Wednesday, 4 June 2014 15:43:27 UTC