- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 5 Sep 2014 09:44:48 -0700
- To: Michael Sweet <msweet@apple.com>
- Cc: Patrick McManus <mcmanus@ducksong.com>, Simone Bordet <simone.bordet@gmail.com>, Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 5 September 2014 08:29, Michael Sweet <msweet@apple.com> wrote: > The TLS WG already has a draft outlawing RC4 for TLS/1.2. And it hasn't really changed the fact that RC4 is widely used (and preferred). Even with Microsoft penalizing RC4 users now, I don't see it disappearing particularly fast. The fact is, most of what we are recommending is OLD. TLS 1.2 itself is pretty old now at 6 years. And it's all widely deployed. What we're forbidding is really old, and lots of it has problems that might not mean that you are broken today (though RC4 is close). And then there are structural issues like the absence of PFS and problems with the formulation (mac then encrypt). What experience has shown is that it is really hard to remove crypto. Even bad crypto. We don't get many opportunities to get a clean break and HTTP/2 was identified as that break point. You might like to think that we're stepping outside of our scope of authority, but it's always been the case that TLS is provided as a tool. Application protocols (and applications) are definitely empowered to profile the protocol. They pretty much all do to some extent. If you want to argue on process technicality grounds against us doing this, that's not going to work. A big part of why UTA exists is because it is an applications area responsibility to determine how TLS is best used. We're going to rely on that work, but we're grown-ups too and we have made some decisions for ourselves. That's exactly how this works.
Received on Friday, 5 September 2014 16:45:15 UTC