W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Simone Bordet <simone.bordet@gmail.com>
Date: Fri, 5 Sep 2014 15:53:35 +0200
Message-ID: <CAFWmRJ0yBs3Rn6B73N6XNgOB2M4Y-GhU+Dz19Ebs3-_rRiUYwA@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Greg Wilkins <gregw@intalio.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi,

On Fri, Sep 5, 2014 at 2:05 PM, Patrick McManus <mcmanus@ducksong.com> wrote:
> they might well be inadequate for all those protocols, but we accept them
> for the sake of backwards compatibility. (basically the same reason we
> accept http:// urls at all).
>
> h2 is an opportunity to update to current best practice. If you design a
> pure h2 service you can be more confident in its security properties.

But is not this concern orthogonal to HTTP/2.0 ?

If tomorrow those ciphers are discovered flawed or better ones
invented, why should the HTTP/2.0 specification be modified at all ?

For the record, while it may be possible to do something in JDK 8
about preferred ciphers (did not try yet), it's not possible in JDK 7
because the relevant methods have been added only in JDK 8.

Is this opportunity the only reason 9.2.2 is present in the HTTP/2.0
specification ?

Thanks !

-- 
Simone Bordet
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz
Received on Friday, 5 September 2014 13:54:07 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC