- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 11 Mar 2014 08:57:37 +0100
- To: Yoav Nir <ynir.ietf@gmail.com>
- CC: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-03-11 08:52, Yoav Nir wrote: > ... > This creates a strange dependency between HTTP versions and TLS versions. > > HTTP/2 forbids renegotiation and TLS 1.3 doesn't have it. OK for a new > server, new browser, and new TLS library. > > HTTP/1 servers that need client authentication will have to downgrade to > TLS 1.2 so they can get renegotiation. > HTTP servers that support both HTTP versions will need to have > convoluted logic in the TLS stack that says that if the ALPN did not > include http2 then the ServerHello has to cap the versions at TLS 1.2. > > I'd much rather this new authentication scheme was HTTP version > independent. Well, the scheme itself *is* version independent. It's "just" harder to deploy with 1.1. Is there an *alternative*, given the HTTP/2 constraints? Best regards, Julian
Received on Tuesday, 11 March 2014 07:58:07 UTC