Re: 9.2.2 Cipher fallback and FF<->Jetty interop problem


On Mon, Sep 22, 2014 at 7:29 PM, Eric Rescorla <> wrote:
> - We're kind of sad that people use algorithm X and we wish they would
>    do something more modern.
> - There is something seriously wrong with algorithm X and people need
>   transition off it pronto.
> In the former case, we have pretty limited options, since it's probably not
> worth breaking interop over. So, we can do nothing or we can gradually
> tell people to upgrade at preexisting protocol upgrade points. I.e., we
> wouldn't roll out HTTP3 to do this, we'd just do it when we were already
> rolling out HTTP3 (the same way as 9.2.2 is now). in the second case,
> we would want to adjust all versions of HTTP so no new rev would be
> required.

Frankly, I don't understand this at all.

HTTP 1.x was not "adjusted" when flaws have been found in ciphers.
Browsers and servers were just updated to pick up better ciphers, and
alert users otherwise
Why we must now "adjust" HTTP/2 ?

If the HTTP/2 specification was delayed by enough time so that TLS 1.3
was already ratified, do you think it would have made sense to specify
9.2.2 as it is (rather than just requiring a SHOULD or MUST for TLS
1.3+) ?

Thanks !

Simone Bordet
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

Received on Monday, 22 September 2014 19:51:27 UTC