- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 20 Aug 2014 09:59:13 +1000
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
So, are we saying that oppsec defers to the specific protocol negotiated for any ciphersuite requirements (e.g., h2 has a very specific high bar, while http/1.1-over-tls has none)? Cheers, On 20 Aug 2014, at 4:23 am, Martin Thomson <martin.thomson@gmail.com> wrote: >> From the issue (https://github.com/httpwg/http-extensions/issues/26): > > Section 3 implies that there are no cipher suite requirements on Opp > Sec, but it'd be good to discuss and formalise this. May require > tweaks to HTTP/2 (which places requirements on use of TLS, not TLS > with "https"). > > -- > > PHK will disagree, but I think that we're OK here. Better to have a > single robust profile than to permit exceptions. There are several > problems with exceptions or variations: > > * oppsec will be detectable as such to a passive observer > > * a single configurations is more robust; better to use a single code > path and far better not to risk weakening "https" accidentally > -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 19 August 2014 23:59:41 UTC