- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 19 Aug 2014 17:03:34 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 19 August 2014 16:59, Mark Nottingham <mnot@mnot.net> wrote: > So, are we saying that oppsec defers to the specific protocol negotiated for any ciphersuite requirements (e.g., h2 has a very specific high bar, while http/1.1-over-tls has none)? Yes. Though I'd take exception at that latter statement. http/1.1 doesn't have no requirements, just none from the protocol itself. We might not have eliminated RC4 just yet, but we have managed to get rid of the obviously bad stuff (like RC2 and DES).
Received on Wednesday, 20 August 2014 00:04:05 UTC