Re: Concluding discussion on #612 (9.2.2) from Michael Sweet on 2014-10-07 (ietf-http-wg@w3.org from October to December 2014)

From: Michael Sweet <msweet@apple.com>
Date: Tue, 07 Oct 2014 09:38:41 -0400
To: Eric Rescorla <ekr@rtfm.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Martin Thomson <martin.thomson@gmail.com>, Greg Wilkins <gregw@intalio.com>
Message-id: <601DB4BB-7C9A-4BF2-99A3-3A99E3D9ABD2@apple.com>

I still don't like having this kind of requirement since, at present, there is no way for me to enforce it and still support HTTP/1.1 without some after-the-fact oops code that shuts things down.


> On Oct 7, 2014, at 3:30 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> As I said before, I don't really have a dog in this fight, but I note
> that one of Greg's proposals is to write 9.2.2 more precisely:
> 
>    - rewrite 9.2.2 in more precise language (no 'such as')
> 
> In that spirit, I suggest the following text which I believe fits
> Note that this is not a claim that it addresses Greg's
> concern -- that is for Greg to decide -- but merely an attempt to
> formalize what I believe the current text already implies. 
> The last sentence is arguably too conservative, but is intended
> to resolve potential ambiguities about future non-AEAD ciphers and
> in any case will be easy to deal with.
> 
> 
>   HTTP2 MUST NOT be used with cipher suites that use stream [RFC5246;
>   Section 6.2.3.1] or block [RFC5246; Section 6.2.3.2]
>   ciphers. Authenticated Encryption with Additional Data (AEAD) modes
>   [RFC 5246; Section 6.2.3.3]) are acceptable.  At present, the only
>   such modes defined for TLS are the Galois Counter Model (GCM) mode for
>   AES [RFC5288] [RFC5289; Section 3.2] and Counter with CBC-MAC Mode
>   (CCM) [RFC665] [RFC7251], but any future AEAD modes are also
>   acceptable. Any future TLS modes that are not of the AEAD form MUST
>   NOT be used without an RFC updating this document.
> 
> Hope this helps.
> 
> -Ekr
> 
> 
> On Tue, Oct 7, 2014 at 1:57 AM, Mark Nottingham <mnot@mnot.net> wrote:
> I'd like to get to a call for consensus on <https://github.com/http2/http2-spec/issues/612> very soon.
> 
> To help get us there, I've prepared a wiki page that I think summarises the issues that have been raised:
>   https://github.com/http2/http2-spec/wiki/TlsRequirements
> 
> Martin has made a proposal in the form of a pull request:
>   https://github.com/http2/http2-spec/pull/615
> ... and it looks like there's general support for incorporating it. Does anyone have a reason not to?
> 
> Greg has made a number of proposals, listed in short form at:
>   http://www.w3.org/mid/CAH_y2NH=skUXk0QwCs4uVqWE=iOLhi5K+kvARDUQ7uMeogrw9A@mail.gmail.com
> 
> Martin and Greg, do you need time to develop your proposals any further?
> 
> Greg, you made quite a few proposals -- did I miss any others, or do you want to selectively nominate one or more of them for consideration?
> 
> Finally, does anyone else wish to make a proposal?
> 
> Regards,
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Tuesday, 7 October 2014 13:39:12 UTC