- From: Brian Smith <brian@briansmith.org>
- Date: Tue, 28 Oct 2014 14:23:20 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAFewVt50BiBdtBn=Rzveh3xVhJ2rzBtz7n6pv=be=e8tFaiZVQ@mail.gmail.com>
Mark Nottingham <mnot@mnot.net> wrote: > <https://github.com/http2/http2-spec/issues/612> > > Reviewing the discussion, I think it’s going to be difficult to declare > consensus on 9.2.2 in its current form. > > Talking through it with a few of the proponents, my proposal to close this > issue is to remove 9.2.2 (i.e., the specific requirements on cipher > suites), but leave 9.2.1 (the section on TLS features) as-is. > > Thoughts? > What is the actual diff? 9.2.2 cannot be removed reasonably without adding new text to the security considerations section, but AFAICT nobody has written the new security considerations section yet. In particular, how do the known attacks on TLS configurations forbidden by 9.2.2 affect HTTP/2? I find it difficult to tell what arguments against the 9.2.2 requirements have not been sufficiently refuted. I read the arguments against the 9.2.2 requirements carefully because I wanted to try to help address them in a constructive way that accomplishes the goal of improving security without causing an unnecessary burden for anybody, but I've not been able to figure out what is actually unreasonably burdensome about the 9.2.2 requirements. This issue in particular seems like one where "Rough consensus is achieved when all issues are addressed, but not necessarily accommodated" from RFC 7282 applies. Finally, didn't Google say that they're still going to apply the 9.2.2 restrictions even if 9.2.2 is removed from the spec? And, maybe Mozilla will do the same thing? If so, then wouldn't removing 9.2.2 cause significant problems due to the fact that the requirements in the document aren't sufficient to describe how to interoperate? Cheers, Brian
Received on Tuesday, 28 October 2014 21:23:47 UTC