Re: Discussion of 9.2.2 from Greg Wilkins on 2014-09-25 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Fri, 26 Sep 2014 04:14:08 +1000
To: Mark Nottingham <mnot@mnot.net>
Cc: Jason Greene <jason.greene@redhat.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NFQKQAVVEqtUPB-YJr5Ew-m7AOjvSiarjYedYmhPqO71Q@mail.gmail.com>

On 26 September 2014 03:56, Mark Nottingham <mnot@mnot.net> wrote:

>
> See recent discussion regarding the language regarding unknown ciphers.
> Please address that proposal (mine or Martin’s).
>
>
please don't exclude my proposal from consideration!   To summaries again:

   - Replace the current allowance for weak h1 ciphers with an explicit
   immutable white list of weak ciphers that can be used for h1 fallback.
   - Update text to say that block and stream ciphers are prohibited for
   h2, but that AEAD and future cipher classes are allowed.

The intent in these proposals is to leave no doubt in the servers
consideration of unknown ciphers. An offered cipher that is not in the h1
white list is h2 acceptable for the client. The server can then apply it's
own acceptability criteria without the need to guess what the client is
actually offering.


cheers




-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Thursday, 25 September 2014 18:14:37 UTC