- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 5 Nov 2014 16:07:26 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 5 November 2014 16:02, Mark Nottingham <mnot@mnot.net> wrote: > So, maybe the path forward would be to leave the cipher suite requirements at MUST -- putting the responsibility for conforming on the administrator in some deployments -- but reduce the requirement to generate INADEQUATE_SECURITY to a SHOULD, thereby letting an implementation that doesn't have the ability (or desire) to enforce off the hook. I think that would work. It would hide errors, which I think we've tried not to do generally, but it's a practical escape valve for some cases.
Received on Thursday, 6 November 2014 00:07:53 UTC