- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 6 Nov 2014 14:28:00 +1100
- To: Patrick McManus <mcmanus@ducksong.com>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Dare I say MAY? > On 6 Nov 2014, at 2:10 pm, Patrick McManus <mcmanus@ducksong.com> wrote: > > > On Wed, Nov 5, 2014 at 7:02 PM, Mark Nottingham <mnot@mnot.net> wrote: > So, maybe the path forward would be to leave the cipher suite requirements at MUST -- putting the responsibility for conforming on the administrator in some deployments -- but reduce the requirement to generate INADEQUATE_SECURITY to a SHOULD, thereby letting an implementation that doesn't have the ability (or desire) to enforce off the hook. > > Need to think through the implications of that, but WDYT? > > > I'm assuming the Y in WDYT opened that question up to the room :) > > I think this is reasonable on balance. As Martin has already noted we've tended to favor harder error handling requirements but if the practicalities of this protocol requirement mean it will be fulfilled by agreement outside of the h2 implementation (e.g. via config of a coordinated partner application) then it makes sense to be more flexible here wrt generating INADEQUATE_SECURITY. -- Mark Nottingham https://www.mnot.net/
Received on Thursday, 6 November 2014 04:01:13 UTC