- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 19 Aug 2014 11:23:06 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
>From the issue (https://github.com/httpwg/http-extensions/issues/26): Section 3 implies that there are no cipher suite requirements on Opp Sec, but it'd be good to discuss and formalise this. May require tweaks to HTTP/2 (which places requirements on use of TLS, not TLS with "https"). -- PHK will disagree, but I think that we're OK here. Better to have a single robust profile than to permit exceptions. There are several problems with exceptions or variations: * oppsec will be detectable as such to a passive observer * a single configurations is more robust; better to use a single code path and far better not to risk weakening "https" accidentally
Received on Tuesday, 19 August 2014 18:23:33 UTC