- From: Dave Garrett <davemgarrett@gmail.com>
- Date: Tue, 28 Oct 2014 01:42:57 +0000
- To: ietf-http-wg@w3.org
It looks like HTTP/2 section 9.2.2 is on the chopping block, with little push-back thus far, so I'm going to ask the obvious question: what's going to replace it? Attempting to enforce cipher requirements here is problematic, however removing these requirements will also add its own interoperability problems. If a server were to follow the spec without these requirements, then a browser that already implements them will reject the connection. Unless everyone is also going to pledge to remove already implemented security checks, this will be an issue. Without 9.2.2, even RC4 is valid for HTTP/2 traffic, which seems like something implementors would fight against introducing. There were a few people that suggested simply waiting for TLS 1.3 and requiring that instead of TLS 1.2 plus a series of hacks. Is it possible to fast-track TLS 1.3 from its current draft to standardization for HTTP/2, and move further TLS development to 1.4? This is the simplest solution and obsoletes almost all of section 9.2, not just 9.2.2. I guess the real question is: can two working groups work together here? -- Dave
Received on Tuesday, 28 October 2014 16:44:13 UTC