On Fri, Sep 5, 2014 at 9:53 AM, Simone Bordet <simone.bordet@gmail.com>
wrote:
> If tomorrow those ciphers are discovered flawed or better ones
> invented, why should the HTTP/2.0 specification be modified at all ?
>
The intent of the existing text is to provide minimum requirements for use
of a new protocol. If new approaches become a best practice in the future
they can be used with h2 (without modifying the h2 definition) as I
understand it. I'm sure Martin would entertain changes to the text to help
make that clear. And sure, as time goes by we will have problems along the
lines of "X is now known insecure, do I need to keep accepting it for
backwards compatibility" - but we don't have to start by allowing
X=RC4-SHA1 on day one.. this will help clear the decks of accumulated
cruft, which is worthwhile even if more cruft will inevitably arrive.