Re: #612: 9.2.2 requirements

> On Oct 28, 2014, at 4:23 PM, Brian Smith <brian@briansmith.org> wrote:
> 
> I find it difficult to tell what arguments against the 9.2.2 requirements have not been sufficiently refuted. I read the arguments against the 9.2.2 requirements carefully because I wanted to try to help address them in a constructive way that accomplishes the goal of improving security without causing an unnecessary burden for anybody, but I've not been able to figure out what is actually unreasonably burdensome about the 9.2.2 requirements.

The handshake issues have not been refuted. Here is an example:
http://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0167.html

I summarized the only solutions that I am aware of and they are either burdensome, or not widely available. All are arguably error-prone.

http://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0198.html

There is also a compelling argument that this is not the proper place to mandate TLS framework API behavior, which is indirectly required to achieve these rules and avoid the resulting negotiation issues:

http://lists.w3.org/Archives/Public/ietf-http-wg/2014OctDec/0114.html

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

Received on Tuesday, 28 October 2014 22:11:56 UTC