Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

I also think that this should not be in the HTTP2 spec, and looking the 
WG's HTTP2 charter I think that is explicitly listed as being out of scope:

Explicitly out-of-scope items include:
* Specifying the use of alternate transport-layer protocols. Note that 
it is expected that the Working Group will work with the TLS working 
group to define how the protocol is used with the TLS Protocol; any 
revisions to RFC 2818 will be done in the TLS working group.


Roy T. Fielding wrote:
> I still don't believe that any of these requirements belong in h2,
> and I won't implement them even if they end up in the RFC.  It is
> not the HTTP server's responsibility to second-guess the configuration
> regarding the security properties of the underlying connections.
> We have no idea what hardware or gateways might be doing to secure those
> connections.  We don't even know what TLS library is being used,
> since all we see is an API into someone else's code.
> TLS requirements belong in the TLS code.
> ....Roy

Received on Friday, 19 September 2014 00:57:56 UTC