- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 28 Oct 2014 16:20:53 -0700
- To: Brian Smith <brian@briansmith.org>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 28 October 2014 14:23, Brian Smith <brian@briansmith.org> wrote: > What is the actual diff? 9.2.2 cannot be removed reasonably without adding > new text to the security considerations section, but AFAICT nobody has > written the new security considerations section yet. In particular, how do > the known attacks on TLS configurations forbidden by 9.2.2 affect HTTP/2? I'm not aware of specific security considerations that need to be written in this context regarding 9.2.2. The security analysis hasn't assumed anything about the cipher suite selection (the only potential loss here). The analysis relies only on the stuff in 9.2.1 (no compression, no renegotiation), which we are keeping.
Received on Tuesday, 28 October 2014 23:21:21 UTC