On Fri, Sep 5, 2014 at 9:53 AM, Simone Bordet <simone.bordet@gmail.com> wrote: > If tomorrow those ciphers are discovered flawed or better ones > invented, why should the HTTP/2.0 specification be modified at all ? > The intent of the existing text is to provide minimum requirements for use of a new protocol. If new approaches become a best practice in the future they can be used with h2 (without modifying the h2 definition) as I understand it. I'm sure Martin would entertain changes to the text to help make that clear. And sure, as time goes by we will have problems along the lines of "X is now known insecure, do I need to keep accepting it for backwards compatibility" - but we don't have to start by allowing X=RC4-SHA1 on day one.. this will help clear the decks of accumulated cruft, which is worthwhile even if more cruft will inevitably arrive.
Received on Friday, 5 September 2014 15:16:11 UTC