Re: #612: 9.2.2 requirements from Eric Rescorla on 2014-11-02 (ietf-http-wg@w3.org from October to December 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 2 Nov 2014 11:27:41 -0800
To: Michael Sweet <msweet@apple.com>
Cc: Nicholas Hurley <hurley@todesschaf.org>, Brian Smith <brian@briansmith.org>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBPkSG=97UahNcCpRw=_26knQqJ9UMDWmqUhNF_mRC4-VA@mail.gmail.com>

On Sun, Nov 2, 2014 at 7:08 AM, Michael Sweet <msweet@apple.com> wrote:

> The PSK suites.


I see.

This doesn't seem like a source of confusion because PSK suites only
work by prior arrangement between the client and server, so it's not
like they are going to be negotiated by generic HTTP2 clients
(modulo the PSK-as-resumption technique proposed by Karthik, which
doesn't seem like a source of confusion either).

-Ekr


> > On Nov 2, 2014, at 9:16 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >
> >
> > On Sat, Nov 1, 2014 at 7:55 PM, Michael Sweet <msweet@apple.com> wrote:
> > Nicholas,
> >
> > > On Nov 1, 2014, at 12:42 PM, Nicholas Hurley <hurley@todesschaf.org>
> wrote:
> > >
> > >
> > >> On 1 Nov, 2014, at 05:14, Michael Sweet <msweet@apple.com> wrote:
> > >>
> > >> However, in this case it seems that some feel that the mandatory
> cipher suite in TLS/1.2 is inadequate, and that a specific set of cipher
> suites is now preferred (and MAY be a requirement in TLS/1.3). Therefore,
> the proper, RFC 2119, approach would be to require support for one or more
> cipher suites that are seen as providing adequate security - that ensures
> interoperability and that the two end points will be able to negotiate a
> "secure" connection without requiring layering violations or causing
> interoperability problems.
> > >
> > > Good news! Quoting 9.2.2:
> > >
> > > "To avoid this problem, implementations of HTTP/2 that use TLS 1.2
> MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [TLS-ECDHE] with P256
> [FIPS186].”
> >
> > I have no problem with this.  I *do* have a problem forbidding all of
> the other TLS/1.2 cipher suites (including the mandatory cipher suite in
> RFC 5246) which is a) not necessary for interop and b) causes interop and
> implementation problems.
> >
> > Also, based on the traffic on the TLS WG list, it looks like TLS/1.3
> will still include cipher suites that are not allowed by the current HTTP/2
> text, but are otherwise considered "secure".  And thanks to the current
> wording, they will be valid when TLS/1.3 is negotiated but not TLS/1.2.
> (think of the interop issues there!)
> >
> > Which cipher suites do you believe those will be?
> >
> > -Ekr
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>
>

Received on Sunday, 2 November 2014 19:28:49 UTC