- From: Jason Greene <jason.greene@redhat.com>
- Date: Wed, 5 Nov 2014 23:26:41 -0600
- To: Greg Wilkins <gregw@intalio.com>
- Cc: Mark Nottingham <mnot@mnot.net>, Patrick McManus <mcmanus@ducksong.com>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
> On Nov 5, 2014, at 11:15 PM, Greg Wilkins <gregw@intalio.com> wrote: > > If we replace MUST with MAY, this make the handshake fragility a much greater interoperability problem. If the server MAY respond with INADEQUATE_SECURITY, then it also MAY NOT. Jetty's deferral of cipher selection to the TLS layer will now be spec compliant and the failure to connect even though there were shared ciphers and protocols because a real problem today rather than a possible problem when faces with hypothetical future cipher names. This makes the handshake broken rather than fragile. > > I know I sound like a scratched record - but we MUST have a robust handshake that does not rely on how we "think" ciphers will evolve. Hi Greg, can you take a look at the small proposal I sent a few days ago. I think its closer to what you are looking for: https://github.com/http2/http2-spec/pull/639/files -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat
Received on Thursday, 6 November 2014 05:27:16 UTC