Re: Stricter TLS Usage in HTTP/2 from Patrick McManus on 2014-06-04 (ietf-http-wg@w3.org from April to June 2014)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 4 Jun 2014 11:52:31 -0400
To: "Richard Wheeldon (rwheeldo)" <rwheeldo@cisco.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, William Chan (陈智昌) <willchan@chromium.org>, HTTP Working Group <ietf-http-wg@w3.org>, Adam Langley <agl@google.com>
Message-ID: <CAOdDvNqp_Vbq8r7_RufTef=11K41SKwb5q8t8AyKkkUV3b8qRg@mail.gmail.com>

On Wed, Jun 4, 2014 at 11:42 AM, Richard Wheeldon (rwheeldo) <
rwheeldo@cisco.com> wrote:

> From: patrick.ducksong@gmail.com [mailto:patrick.ducksong@gmail.com] On
> Behalf Of Patrick McManus
>  > making the chosen ciphersuite depend on the version of HTTP selected is
> already a requirement of HTTP2. The proposal here is about a change to that
> criteria. Section 9.2
>
> Do we want to revisit that?


perhaps to make it stronger :)


> Personally, I feel that mandating stronger cipher suites makes a lot of
> sense but there're a couple of caveats:
> - I'm not sure how this plays with opportunistic TLS
>

we've implemented both the alt-svc and encryption drafts and enforce the
requirements of 9.2 and have not found this to be a problem.

Received on Wednesday, 4 June 2014 15:52:58 UTC