- From: Michael Sweet <msweet@apple.com>
- Date: Mon, 03 Nov 2014 05:56:18 -0500
- To: Roland Zink <roland@zinks.de>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
That was my point - right now a cipher suite that is valid in both TLS/1.2 and TLS/1.3 may only be usable with HTTP/2 when TLS/1.3 is negotiated. Aside from the confusion factor this seems like a recipe for interop disaster. Sent from my iPad > On Nov 3, 2014, at 5:44 AM, Roland Zink <roland@zinks.de> wrote: > >> On 03.11.2014 01:03, Mark Nottingham wrote: >> Michael, >> >>> On 2 Nov 2014, at 1:55 pm, Michael Sweet <msweet@apple.com> wrote: >>> >>> Also, based on the traffic on the TLS WG list, it looks like TLS/1.3 will still include cipher suites that are not allowed by the current HTTP/2 text, but are otherwise considered "secure". And thanks to the current wording, they will be valid when TLS/1.3 is negotiated but not TLS/1.2. (think of the interop issues there!) >> See the current proposal, which makes the requirements specific to TLS 1.2: >> https://github.com/http2/http2-spec/pull/615 > Wouldn't this be confusing? A cipher is allowed with TLS 1.2, but not with TLS 1.2 together with h2. But if h2 is used together with TLS 1.3 it is allowed again. > >> >> — >> Mark Nottingham http://www.mnot.net/ > > Roland >
Received on Monday, 3 November 2014 10:56:45 UTC