RE: #612: 9.2.2 and ALPN from Mike Bishop on 2014-11-14 (ietf-http-wg@w3.org from October to December 2014)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Fri, 14 Nov 2014 07:39:11 +0000
To: Martin Thomson <martin.thomson@gmail.com>, Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <6e38349ce9b6468e87c5a8ccc66b410a@BL2PR03MB132.namprd03.prod.outlook.com>

I would think the client MAY send INADEQUATE_SECURITY if any of the requirements in either section aren't honored.  For example, say the server selects TLS 1.1.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Thursday, November 13, 2014 7:12 PM
To: Mark Nottingham
Cc: HTTP Working Group
Subject: Re: #612: 9.2.2 and ALPN

On 13 November 2014 16:03, Martin Thomson <martin.thomson@gmail.com> wrote:
> There is one piece of collateral damage here that I think we will have 
> to decide on.  The draft previously has requirements for key strength 
> on DHE and ECDHE.  I've moved that to 9.2.1.  I want to make sure that 
> I call that out.

On consideration (and feedback on github), I've changed this to include permission to use INADEQUATE_SECURITY in the case that the minimum key sizes are not negotiated.

Received on Friday, 14 November 2014 07:39:39 UTC