- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 19 Sep 2014 08:11:03 +0200
- To: Roland Zink <roland@zinks.de>
- Cc: ietf-http-wg@w3.org
On Wed, Sep 17, 2014 at 10:45:22AM +0200, Roland Zink wrote: > So how are new ciphers added later? Does this require a new HTTP2 RFC, > or a new TLS RFC or do they need to be registered with IANA? What if one > of the now acceptable ciphers is no longer considered secure and should > be disabled? Simple response : it will not be possible to upgrade them anymore because servers will have to change their cipher suite and become suddenly incompatible with already deployed browsers. Updating the spec does not mean upgrading all implementations at once... And advertising a new ALPN name will not mean that servers will be able to propose a different cipher suite depending on what protocol version is selected. > Doesn't this cipher selection belong into TLS and not h2? Sure! Willy
Received on Friday, 19 September 2014 06:11:27 UTC