Ciphersuite requirements ext#26

>From the issue (

Section 3 implies that there are no cipher suite requirements on Opp
Sec, but it'd be good to discuss and formalise this. May require
tweaks to HTTP/2 (which places requirements on use of TLS, not TLS
with "https").


PHK will disagree, but I think that we're OK here. Better to have a
single robust profile than to permit exceptions. There are several
problems with exceptions or variations:

* oppsec will be detectable as such to a passive observer

* a single configurations is more robust; better to use a single code
path and far better not to risk weakening "https" accidentally

Received on Tuesday, 19 August 2014 18:23:33 UTC