W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Ciphersuite requirements ext#26

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 19 Aug 2014 17:03:34 -0700
Message-ID: <CABkgnnVX05SfHLMo4tt=vyF5XQqO7DC2embcEPkvJcFeYt3K6w@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 19 August 2014 16:59, Mark Nottingham <mnot@mnot.net> wrote:
> So, are we saying that oppsec defers to the specific protocol negotiated for any ciphersuite requirements (e.g., h2 has a very specific high bar, while http/1.1-over-tls has none)?

Yes.  Though I'd take exception at that latter statement.  http/1.1
doesn't have no requirements, just none from the protocol itself.  We
might not have eliminated RC4 just yet, but we have managed to get rid
of the obviously bad stuff (like RC2 and DES).
Received on Wednesday, 20 August 2014 00:04:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 9 September 2019 17:48:20 UTC