Re: #612: 9.2.2 requirements

> On Nov 5, 2014, at 3:13 AM, Greg Wilkins <gregw@intalio.com> wrote:
> 
> 
> On 1 November 2014 05:35, Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net>> wrote:
> While some may consider the handshake “fragile”, they’ll need to explain how — given the above context — it affects interoperability in a way that’s significant. So far, I haven’t seen an explanation of how the handshake raises such an issue.
> 
> The problem with 9.2.2 is not that it tries to restrict TLS ciphers to known good ciphers.   It is that is also tries to allow clients to continue using known poor ciphers with http1 without any penalty.

You are implying that TLS_RSA_WITH_AES_128_CBC_SHA is known insecure. This is not the case.

Yoav

Received on Wednesday, 5 November 2014 05:31:54 UTC