W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

RE: Stricter TLS Usage in HTTP/2

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Wed, 4 Jun 2014 15:42:58 +0000
To: Patrick McManus <mcmanus@ducksong.com>, Yoav Nir <ynir.ietf@gmail.com>
CC: Martin Thomson <martin.thomson@gmail.com>, William Chan (ι™ˆζ™Ίζ˜Œ) <willchan@chromium.org>, "HTTP Working Group" <ietf-http-wg@w3.org>, Adam Langley <agl@google.com>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B513C67@xmb-rcd-x04.cisco.com>
From: patrick.ducksong@gmail.com [mailto:patrick.ducksong@gmail.com] On Behalf Of Patrick McManus
 > making the chosen ciphersuite depend on the version of HTTP selected is already a requirement of HTTP2. The proposal here is about a change to that criteria. Section 9.2

Do we want to revisit that? Personally, I feel that mandating stronger cipher suites makes a lot of sense but there're a couple of caveats:
- I'm not sure how this plays with opportunistic TLS
- I think we need to be stronger on the use of ALPN. Maybe "Implementations of HTTP/2 MUST support ALPN on all TLS connections" under 9.2? There's a server requirement under 3.4 but unless I'm mistaken no hard requirement on the client.
- I'd like to hear from someone who deals with offloaded or off-box decryption of TLS as to how this will play out for them.

Richard

Received on Wednesday, 4 June 2014 15:43:27 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC