Re: #612: 9.2.2 requirements from Yoav Nir on 2014-11-05 (ietf-http-wg@w3.org from October to December 2014)

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 5 Nov 2014 07:31:25 +0200
To: Greg Wilkins <gregw@intalio.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <89475DEF-AC7D-417B-BF4A-1B18FBABAC83@gmail.com>

> On Nov 5, 2014, at 3:13 AM, Greg Wilkins <gregw@intalio.com> wrote:
> 
> 
> On 1 November 2014 05:35, Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net>> wrote:
> While some may consider the handshake “fragile”, they’ll need to explain how — given the above context — it affects interoperability in a way that’s significant. So far, I haven’t seen an explanation of how the handshake raises such an issue.
> 
> The problem with 9.2.2 is not that it tries to restrict TLS ciphers to known good ciphers.   It is that is also tries to allow clients to continue using known poor ciphers with http1 without any penalty.

You are implying that TLS_RSA_WITH_AES_128_CBC_SHA is known insecure. This is not the case.

Yoav

Received on Wednesday, 5 November 2014 05:31:54 UTC