Re: #612: 9.2.2 and ALPN from Jason Greene on 2014-11-13 (ietf-http-wg@w3.org from October to December 2014)

From: Jason Greene <jason.greene@redhat.com>
Date: Wed, 12 Nov 2014 23:03:12 -0600
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D4DC3724-C998-406F-8679-EF47F387B1D5@redhat.com>

Thank you everyone in Honolulu for working up this compromise. This approach addresses my major concern, which was that 9.2.2 was not widely implementable, leading to unnecessary interop problems. 


> On Nov 11, 2014, at 8:03 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
> We had a wide-ranging discussion in about this issue in Honolulu today. After an introductory presentation <http://httpwg.github.io/wg-materials/ietf91/922.pdf>, and then much discussion/iteration, we ended up with this on the screen:
> 
> -8<-
> If the ciphersuite selected for h2 is...
> BAD = peer MAY INADEQUATE_SECURITY
> !BAD = peer MUST NOT INADEQUATE_SECURITY
> 
> Peers probably shouldn't negotiate BAD
> 
> where BAD is a fixed in-spec blacklist
> ->8-
> 
> Using the straw-man proposal on the last page of the PDF, this implies #5 (relax requirement to generate INADEQUATE_SECURITY) and a modification of #2 (Nominate a fixed list of suites for use with H2+TLS12) to a blacklist rather than a whitelist.
> 
> Not explicit here but implied (and seemingly not controversial) were #1 (making all cipher suite requirements specific to TLS 1.2), #3 (keep the required interop suite as mandatory to deploy) and #4 (Clarify that cipher suite requirements apply to deployments, not impl).
> 
> Note that there is NOT a requirement to use or not use particular cipher suites; only a prose note that if you do so, you may encounter problems. This is somewhat in the spirit of #4.
> 
> #6 didn’t seem to get significant support, so I think the plan is to drop it.
> 
> 
> Martin is going to prepare a pull request with exact text, using the requirements currently in 9.2.2 to create the blacklist.
> 
> Based on the reaction in the meeting (which included some but not all stakeholders) as well as some 1-to-1 discussions I’ve had with people who weren’t there, I believe that this is likely to be as close to a consensus position that we can get. 
> 
> Please ask comment or questions if need be, and indicate your support or lack thereof (now if you’re comfortable doing that, or after Martin shows exact text).
> 
> Regards,
> 
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat

Received on Thursday, 13 November 2014 05:03:41 UTC