On Wed, Nov 5, 2014 at 7:02 PM, Mark Nottingham <mnot@mnot.net> wrote: > So, maybe the path forward would be to leave the cipher suite requirements > at MUST -- putting the responsibility for conforming on the administrator > in some deployments -- but reduce the requirement to generate > INADEQUATE_SECURITY to a SHOULD, thereby letting an implementation that > doesn't have the ability (or desire) to enforce off the hook. > > Need to think through the implications of that, but WDYT? > > I'm assuming the Y in WDYT opened that question up to the room :) I think this is reasonable on balance. As Martin has already noted we've tended to favor harder error handling requirements but if the practicalities of this protocol requirement mean it will be fulfilled by agreement outside of the h2 implementation (e.g. via config of a coordinated partner application) then it makes sense to be more flexible here wrt generating INADEQUATE_SECURITY.
Received on Thursday, 6 November 2014 03:11:08 UTC