- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 26 Sep 2014 09:03:46 +0200
- To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014-09-24 13:17, Mark Nottingham wrote: > ... > My personal observations (no chair hat): > > AIUI, the crux of the purported problem is when a new cipher suite X is introduced, and a client offers it. If the server supports that cipher suite but the HTTP/2 implementation has not decided that it is conformant to these requirements, INADEQUATE_SECURITY will be thrown. > > It seems to me that a few editorial changes would help here. > > a) Explicitly note that INADEQUATE_SECURITY is thrown in 9.2.2 (it’s implied by 9.2 but let’s be explicit). This should happen regardless. > b) Change the start of #2 above to “HTTP/2”. This should happen regardless. > c) Change #2 above to “HTTP/2 MUST NOT be used with cipher suites that are known to be stream or block ciphers.” This emphasises that it’s a blacklist, not a whitelist, and avoids throwing INADEQUATE_SECURITY when encountering a cipher suite with unknown properties. > > Regards, > ... Can we add a d), as suggested by yourself: d) Constrain the http/2-on-tls constraints on ciper suites to TLS 1.2 only (I didn't see any negative feedback on that idea) Best regards, Julian
Received on Friday, 26 September 2014 07:04:19 UTC