Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem

On Wed, Sep 17, 2014 at 10:45:22AM +0200, Roland Zink wrote:
> So how are new ciphers added later? Does this require a new HTTP2 RFC, 
> or a new TLS RFC or do they need to be registered with IANA? What if one 
> of the now acceptable ciphers is no longer considered secure and should 
> be disabled?

Simple response : it will not be possible to upgrade them anymore because
servers will have to change their cipher suite and become suddenly
incompatible with already deployed browsers. Updating the spec does not
mean upgrading all implementations at once... And advertising a new ALPN
name will not mean that servers will be able to propose a different cipher
suite depending on what protocol version is selected.

> Doesn't this cipher selection belong into TLS and not h2?



Received on Friday, 19 September 2014 06:11:27 UTC