Re: Ciphersuite requirements ext#26

So, are we saying that oppsec defers to the specific protocol negotiated for any ciphersuite requirements (e.g., h2 has a very specific high bar, while http/1.1-over-tls has none)?


On 20 Aug 2014, at 4:23 am, Martin Thomson <> wrote:

>> From the issue (
> Section 3 implies that there are no cipher suite requirements on Opp
> Sec, but it'd be good to discuss and formalise this. May require
> tweaks to HTTP/2 (which places requirements on use of TLS, not TLS
> with "https").
> --
> PHK will disagree, but I think that we're OK here. Better to have a
> single robust profile than to permit exceptions. There are several
> problems with exceptions or variations:
> * oppsec will be detectable as such to a passive observer
> * a single configurations is more robust; better to use a single code
> path and far better not to risk weakening "https" accidentally

Mark Nottingham

Received on Tuesday, 19 August 2014 23:59:41 UTC