- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 17 Jul 2014 13:07:50 -0700
- To: Yoav Nir <ynir.ietf@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 17 July 2014 11:40, Yoav Nir <ynir.ietf@gmail.com> wrote: > I fail to see why we need both a DHE and ECDHE ciphersuite. I prefer that we have only the ECDHE. > > DHE depends on the server sending down secure parameters, which the client has no way to verify. It’s also slower. If we’re not including AES-CBC+HMAC-SHA1 we might as well drop DHE as well. > > Having said that, I would have preferred to not have this requirement at all, and leave it to a TLS standard to have mandatory-to-implement ciphersuites. There is nothing special about HTTP(S) that makes some ciphersuite appropriate here while being less appropriate for SMTP. But if we’ve made up our minds to specify an MTI ciphersuite, I suggest we specify only one, and make that TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. I'm afraid we can't really do that without a risk of interoperability failure. TLS mandates something that we prohibit the use of. Now, assuming that the TLS WG can produce a recommendation (probably in the context of 1.3), we will use that. I'm amenable to your suggestion of just ECDHE. One being better than two when it comes to MTI. I'll note that this is probably something we should continue in the TLS WG; as we've done so far.
Received on Thursday, 17 July 2014 20:08:18 UTC