- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 6 Nov 2014 11:08:23 +1100
- To: "Jason T. Greene" <jason.greene@redhat.com>
- Cc: Greg Wilkins <gregw@intalio.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On 6 Nov 2014, at 10:56 am, Jason T. Greene <jason.greene@redhat.com> wrote: > > >> On Nov 5, 2014, at 5:22 PM, Mark Nottingham <mnot@mnot.net> wrote: >> >> However, it still hasn't been shown how this will be the case with HTTP/2, if both the client and server are conformant to the proposed text. > > Why do you keep saying this? I have reposted the frequently discussed problematic scenario numerous times in response to it. > > I'm also not saying it can't be fixed. I even have a candidate PR for one option that came out of a discussion with Brian (who at least acknowledged the issue). Other options and proposals have been brought up (as recently as today). I have summarized them on multiple occasions. See: <http://www.w3.org/mid/6F1A838B-0BC8-4D6D-856E-414DFBF747AF@mnot.net> You yourself said earlier: > Reconsidering Brian's argument regarding ALPN behavior, it's perfectly plausible that a TLS impl could validate the ALPN + cipher combination and ensure either the right ciphers are chosen, or that the ALPN missing the proper cipher requirements is not selected by the application. Following this line of thought I must concede that there is no TLS protocol problem. > > In fairness, the issue instead a practical one (the lack of support by TLS implementations, and the inability of H2 implementations to comply with these rules at the time of H2 standardization) Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 6 November 2014 00:08:50 UTC