Re: Concluding discussion on #612 (9.2.2) from Eric Rescorla on 2014-10-07 (ietf-http-wg@w3.org from October to December 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 7 Oct 2014 03:30:42 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>, Greg Wilkins <gregw@intalio.com>
Message-ID: <CABcZeBPoZAM=kd5Z5UxKqYtm8oG9zxrdxFF69tknxQ=3kdqVWQ@mail.gmail.com>

As I said before, I don't really have a dog in this fight, but I note
that one of Greg's proposals is to write 9.2.2 more precisely:

   - rewrite 9.2.2 in more precise language (no 'such as')

In that spirit, I suggest the following text which I believe fits
Note that this is not a claim that it addresses Greg's
concern -- that is for Greg to decide -- but merely an attempt to
formalize what I believe the current text already implies.
The last sentence is arguably too conservative, but is intended
to resolve potential ambiguities about future non-AEAD ciphers and
in any case will be easy to deal with.

  HTTP2 MUST NOT be used with cipher suites that use stream [RFC5246;
  Section 6.2.3.1] or block [RFC5246; Section 6.2.3.2]
  ciphers. Authenticated Encryption with Additional Data (AEAD) modes
  [RFC 5246; Section 6.2.3.3]) are acceptable.  At present, the only
  such modes defined for TLS are the Galois Counter Model (GCM) mode for
  AES [RFC5288] [RFC5289; Section 3.2] and Counter with CBC-MAC Mode
  (CCM) [RFC665] [RFC7251], but any future AEAD modes are also
  acceptable. Any future TLS modes that are not of the AEAD form MUST
  NOT be used without an RFC updating this document.

Hope this helps.

-Ekr

On Tue, Oct 7, 2014 at 1:57 AM, Mark Nottingham <mnot@mnot.net> wrote:

> I'd like to get to a call for consensus on <
> https://github.com/http2/http2-spec/issues/612> very soon.
>
> To help get us there, I've prepared a wiki page that I think summarises
> the issues that have been raised:
>   https://github.com/http2/http2-spec/wiki/TlsRequirements
>
> Martin has made a proposal in the form of a pull request:
>   https://github.com/http2/http2-spec/pull/615
> ... and it looks like there's general support for incorporating it. Does
> anyone have a reason not to?
>
> Greg has made a number of proposals, listed in short form at:
>
> http://www.w3.org/mid/CAH_y2NH=skUXk0QwCs4uVqWE=iOLhi5K+kvARDUQ7uMeogrw9A@mail.gmail.com
>
> Martin and Greg, do you need time to develop your proposals any further?
>
> Greg, you made quite a few proposals -- did I miss any others, or do you
> want to selectively nominate one or more of them for consideration?
>
> Finally, does anyone else wish to make a proposal?
>
> Regards,
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

Received on Tuesday, 7 October 2014 07:31:50 UTC