- From: Simpson, Robby (GE Energy Management) <robby.simpson@ge.com>
- Date: Wed, 12 Nov 2014 20:17:11 +0000
- To: Mike Bishop <Michael.Bishop@microsoft.com>, Yoav Nir <ynir.ietf@gmail.com>, Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 11/12/14, 1:56 PM, "Mike Bishop" <Michael.Bishop@microsoft.com> wrote: >I think this is moving in a better direction, but Yoav's note is one of >the biggest reasons why I think rather than trying to introduce a new >concept of "mandatory to deploy," we should use the well-tested model of >MUST implement, SHOULD use. This is one of many situations in which a >deployment will know better than this WG which ciphers are appropriate to >their environment. SHOULD means that if you don't, you're likely to have >interop pain, which seems exactly applicable here. If you have local >knowledge that leads you to depart from this behavior, you do that >knowing clients outside your control won't talk to you as easily. I've stayed silent thus far on this topic because I do applaud the efforts and concerns for securing the big 'I' Internet and the big 'W' Web. However, in the embedded world, I think we will be using the RFC 7251 cipher suites (e.g., TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8) exclusively, at least for some time, due to the built-in hardware support for CCM. So, I would encourage a re-think on the MTI/MTD language and possibly even slackening the requirements language ala Roy's comments in Honolulu. - Robby
Received on Wednesday, 12 November 2014 20:17:40 UTC