Re: #612: 9.2.2 requirements from Martin Thomson on 2014-10-28 (ietf-http-wg@w3.org from October to December 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 28 Oct 2014 16:20:53 -0700
To: Brian Smith <brian@briansmith.org>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnVuzf1wKPhByXwR04MKjLmH1uox1pQErAQNxuymcCginA@mail.gmail.com>

On 28 October 2014 14:23, Brian Smith <brian@briansmith.org> wrote:
> What is the actual diff? 9.2.2 cannot be removed reasonably without adding
> new text to the security considerations section, but AFAICT nobody has
> written the new security considerations section yet. In particular, how do
> the known attacks on TLS configurations forbidden by 9.2.2 affect HTTP/2?

I'm not aware of specific security considerations that need to be
written in this context regarding 9.2.2.  The security analysis hasn't
assumed anything about the cipher suite selection (the only potential
loss here).  The analysis relies only on the stuff in 9.2.1 (no
compression, no renegotiation), which we are keeping.

Received on Tuesday, 28 October 2014 23:21:21 UTC