- From: Jason Greene <jason.greene@redhat.com>
- Date: Thu, 18 Sep 2014 13:10:33 -0500
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Sep 18, 2014, at 10:41 AM, Roy T. Fielding <fielding@gbiv.com> wrote: > I still don't believe that any of these requirements belong in h2, > and I won't implement them even if they end up in the RFC. It is > not the HTTP server's responsibility to second-guess the configuration > regarding the security properties of the underlying connections. > We have no idea what hardware or gateways might be doing to secure those > connections. We don't even know what TLS library is being used, > since all we see is an API into someone else's code. > > TLS requirements belong in the TLS code. I agree. Although, I am sympathetic to the desire to establish conventions and sanity, but to me these things seem to apply to HTTP/1.1 just as much as HTTP/2. I am also sympathetic to clients that prefer to just work even in the face of poor security. So why not just display a warning when *anything* using TLS happens to pick a weak cipher. That will be just as motivating and far less error prone. -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat
Received on Thursday, 18 September 2014 18:11:09 UTC