W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

From: Jason Greene <jason.greene@redhat.com>
Date: Thu, 18 Sep 2014 13:10:33 -0500
Cc: Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <41E9F731-AB44-45B0-BF02-67C39BD7E5AC@redhat.com>
To: "Roy T. Fielding" <fielding@gbiv.com>

On Sep 18, 2014, at 10:41 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

> I still don't believe that any of these requirements belong in h2,
> and I won't implement them even if they end up in the RFC.  It is
> not the HTTP server's responsibility to second-guess the configuration
> regarding the security properties of the underlying connections.
> We have no idea what hardware or gateways might be doing to secure those
> connections.  We don't even know what TLS library is being used,
> since all we see is an API into someone else's code.
> 
> TLS requirements belong in the TLS code.

I agree. Although, I am sympathetic to the desire to establish conventions and sanity, but to me these things seem to apply to HTTP/1.1 just as much as HTTP/2. I am also sympathetic to clients that prefer to just work even in the face of poor security. So why not just display a warning when *anything* using TLS happens to pick a weak cipher. That will be just as motivating and far less error prone.

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
Received on Thursday, 18 September 2014 18:11:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC