Re: Stricter TLS Usage in HTTP/2 from Martin Thomson on 2014-06-04 (ietf-http-wg@w3.org from April to June 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 4 Jun 2014 09:58:43 -0700
To: Cory Benfield <cory@lukasa.co.uk>
Cc: ChanWilliam(陈智昌) <willchan@chromium.org>, "Richard Wheeldon, (rwheeldo)" <rwheeldo@cisco.com>, Yoav Nir <ynir.ietf@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Adam Langley <agl@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWprrzVjhcqumOeUmCepTf3spGacnmuu-u0Q3esWRHJpQ@mail.gmail.com>

On Jun 4, 2014 9:47 AM, "Cory Benfield" <cory@lukasa.co.uk> wrote:
> Happy to mandate at least one of NPN and ALPN for both servers and
> clients. Servers _should_ support both but I see no reason to turn
> that into a must.

You have to have one of:
- support ALPN
- support NPN
- support both on client, either on server
- support either on client, both on server

Or you get the problem where peers support different mechanisms and
negotiation fails.

We have chosen the first option. The document didn't say MUST, but it is
still normative this regard.

We do recognize that - for a short while at least - NPN is more accessible
to some. So many people have enabled NPN to facilitate testing of other
parts of the protocol.

Received on Wednesday, 4 June 2014 16:59:10 UTC